-commit 715e674a838f08748044bce459380762e9c1cd29
-Author: Sasha Levin <sasha.levin@oracle.com>
-Date: Wed Oct 7 11:03:28 2015 -0500
-
- PCI: Prevent out of bounds access in numa_node override
-
- 63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
- the numa node provided by userspace is valid. Passing a node number too
- high would attempt to access invalid memory and trigger a kernel panic.
-
- Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
- Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
- Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
- CC: stable@vger.kernel.org # v3.19+
+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
+
+ radix-tree: fix race in gang lookup
+
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
+
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- drivers/pci/pci-sysfs.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
-commit 6abe1bb892fe394df80dd4267a8bd2874d537e4e
-Author: David Howells <dhowells@redhat.com>
-Date: Fri Sep 18 11:45:12 2015 +0100
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
- ovl: use O_LARGEFILE in ovl_copy_up()
+ unix: correctly track in-flight fds in sending process user_struct
- Open the lower file with O_LARGEFILE in ovl_copy_up().
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
- Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for
- catching 32-bit userspace dealing with a file large enough that it'll be
- mishandled if the application isn't aware that there might be an integer
- overflow. Inside the kernel, there shouldn't be any problems.
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
- Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
- Signed-off-by: David Howells <dhowells@redhat.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Cc: <stable@vger.kernel.org> # v3.18+
-
- fs/overlayfs/copy_up.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit bf5e23398e4a82e28fe0801337a4b78ca951a1d9
-Author: David Howells <dhowells@redhat.com>
-Date: Fri Sep 18 11:45:22 2015 +0100
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- ovl: fix dentry reference leak
-
- In ovl_copy_up_locked(), newdentry is leaked if the function exits through
- out_cleanup as this just to out after calling ovl_cleanup() - which doesn't
- actually release the ref on newdentry.
-
- The out_cleanup segment should instead exit through out2 as certainly
- newdentry leaks - and possibly upper does also, though this isn't caught
- given the catch of newdentry.
-
- Without this fix, something like the following is seen:
-
- BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs]
- BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs]
-
- when unmounting the upper layer after an error occurred in copyup.
-
- An error can be induced by creating a big file in a lower layer with
- something like:
-
- dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000))
-
- to create a large file (4.1G). Overlay an upper layer that is too small
- (on tmpfs might do) and then induce a copy up by opening it writably.
-
- Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
- Signed-off-by: David Howells <dhowells@redhat.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Cc: <stable@vger.kernel.org> # v3.18+
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- fs/overlayfs/copy_up.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
-commit da93976d3355abae09d9fd6a68e7dea77ed619d1
-Author: Miklos Szeredi <miklos@szeredi.hu>
-Date: Mon Oct 12 15:56:20 2015 +0200
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
- ovl: fix open in stacked overlay
+ ALSA: timer: Fix leftover link at closing
- If two overlayfs filesystems are stacked on top of each other, then we need
- recursion in ovl_d_select_inode().
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
- I guess d_backing_inode() is supposed to do that. But currently it doesn't
- and that functionality is open coded in vfs_open(). This is now copied
- into ovl_d_select_inode() to fix this regression.
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
- Reported-by: Alban Crequy <alban.crequy@gmail.com>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...")
- Cc: David Howells <dhowells@redhat.com>
- Cc: <stable@vger.kernel.org> # v4.2+
-
- fs/overlayfs/inode.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-commit 0ddd9cf6149717882b81c946149bf55332d763ae
-Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Date: Mon Aug 24 15:57:18 2015 +0300
-
- ovl: free stack of paths in ovl_fill_super
-
- This fixes small memory leak after mount.
-
- Kmemleak report:
-
- unreferenced object 0xffff88003683fe00 (size 16):
- comm "mount", pid 2029, jiffies 4294909563 (age 33.380s)
- hex dump (first 16 bytes):
- 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6....
- backtrace:
- [<ffffffff811f8cd4>] create_object+0x124/0x2c0
- [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
- [<ffffffff811dffe6>] __kmalloc+0x106/0x340
- [<ffffffffa01b7a29>] ovl_fill_super+0x389/0x9a0 [overlay]
- [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
- [<ffffffffa01b7118>] ovl_mount+0x18/0x20 [overlay]
- [<ffffffff81201ab3>] mount_fs+0x43/0x170
- [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
- [<ffffffff812233ad>] do_mount+0x22d/0xdf0
- [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
- [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
- [<ffffffffffffffff>] 0xffffffffffffffff
-
- Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers")
- Cc: <stable@vger.kernel.org> # v4.0+
-
- fs/overlayfs/super.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
+
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
-commit b86575c9973b9ad55d659fd8a6be8f864435ad0e
-Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Date: Mon Aug 24 15:57:19 2015 +0300
-
- ovl: free lower_mnt array in ovl_put_super
-
- This fixes memory leak after umount.
-
- Kmemleak report:
-
- unreferenced object 0xffff8800ba791010 (size 8):
- comm "mount", pid 2394, jiffies 4294996294 (age 53.920s)
- hex dump (first 8 bytes):
- 20 1c 13 02 00 88 ff ff .......
- backtrace:
- [<ffffffff811f8cd4>] create_object+0x124/0x2c0
- [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
- [<ffffffff811dffe6>] __kmalloc+0x106/0x340
- [<ffffffffa0152bfc>] ovl_fill_super+0x55c/0x9b0 [overlay]
- [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
- [<ffffffffa0152118>] ovl_mount+0x18/0x20 [overlay]
- [<ffffffff81201ab3>] mount_fs+0x43/0x170
- [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
- [<ffffffff812233ad>] do_mount+0x22d/0xdf0
- [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
- [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
- [<ffffffffffffffff>] 0xffffffffffffffff
-
- Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
- Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure")
- Cc: <stable@vger.kernel.org> # v4.0+
-
- fs/overlayfs/super.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 9f49b5376fae99cd590d13726e2633bc0a53b6db
-Author: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sun Nov 1 17:09:15 2015 -0800
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
- mm: get rid of 'vmalloc_info' from /proc/meminfo
-
- It turns out that at least some versions of glibc end up reading
- /proc/meminfo at every single startup, because glibc wants to know the
- amount of memory the machine has. And while that's arguably insane,
- it's just how things are.
-
- And it turns out that it's not all that expensive most of the time, but
- the vmalloc information statistics (amount of virtual memory used in the
- vmalloc space, and the biggest remaining chunk) can be rather expensive
- to compute.
-
- The 'get_vmalloc_info()' function actually showed up on my profiles as
- 4% of the CPU usage of "make test" in the git source repository, because
- the git tests are lots of very short-lived shell-scripts etc.
-
- It turns out that apparently this same silly vmalloc info gathering
- shows up on the facebook servers too, according to Dave Jones. So it's
- not just "make test" for git.
-
- We had two patches to just cache the information (one by me, one by
- Ingo) to mitigate this issue, but the whole vmalloc information of of
- rather dubious value to begin with, and people who *actually* want to
- know what the situation is wrt the vmalloc area should just look at the
- much more complete /proc/vmallocinfo instead.
+ radix-tree: fix oops after radix_tree_iter_retry
- In fact, according to my testing - and perhaps more importantly,
- according to that big search engine in the sky: Google - there is
- nothing out there that actually cares about those two expensive fields:
- VmallocUsed and VmallocChunk.
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
- So let's try to just remove them entirely. Actually, this just removes
- the computation and reports the numbers as zero for now, just to try to
- be minimally intrusive.
-
- If this breaks anything, we'll obviously have to re-introduce the code
- to compute this all and add the caching patches on top. But if given
- the option, I'd really prefer to just remove this bad idea entirely
- rather than add even more code to work around our historical mistake
- that likely nobody really cares about.
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- fs/proc/meminfo.c | 7 ++-----
- include/linux/vmalloc.h | 12 ------------
- mm/vmalloc.c | 47 -----------------------------------------------
- 3 files changed, 2 insertions(+), 64 deletions(-)
-
-commit 66425129a550275398f886498d957284539bb331
-Author: Marek Vasut <marex@denx.de>
-Date: Fri Oct 30 13:48:19 2015 +0100
-
- can: Use correct type in sizeof() in nla_put()
-
- The sizeof() is invoked on an incorrect variable, likely due to some
- copy-paste error, and this might result in memory corruption. Fix this.
-
- Signed-off-by: Marek Vasut <marex@denx.de>
- Cc: Wolfgang Grandegger <wg@grandegger.com>
- Cc: netdev@vger.kernel.org
- Cc: linux-stable <stable@vger.kernel.org>
- Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-
- drivers/net/can/dev.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ include/linux/radix-tree.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
-commit 8c8e802a86f8faf2519710db043339e1cc953bc4
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 17:20:52 2015 -0500
-
- Fix the FPU code properly by copying the dynamically-sized FPU state on
- each clone of the task struct, making it equivalent to the new FPU-in-task-struct code
-
- Fix is from the PaX Team
+Date: Sun Feb 7 08:29:33 2016 -0500
- arch/x86/kernel/process.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 036bc2e2231c76f7eb470bfef67b6bc26187aeae
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Nov 2 17:19:43 2015 -0500
-
- Revert the forced eagerfpu since it's now fixed properly
-
- arch/x86/kernel/fpu/init.c | 3 ---
- 1 files changed, 0 insertions(+), 3 deletions(-)
-
-commit a08ab82bcf321704f6a228c7924b860510c6d610
-Author: Carol L Soto <clsoto@linux.vnet.ibm.com>
-Date: Tue Oct 27 17:36:20 2015 +0200
-
- net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
-
- When doing memcpy/memset of EQEs, we should use sizeof struct
- mlx4_eqe as the base size and not caps.eqe_size which could be bigger.
-
- If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt
- data in the master context.
-
- When using a 64 byte stride, the memcpy copied over 63 bytes to the
- slave_eq structure. This resulted in copying over the entire eqe of
- interest, including its ownership bit -- and also 31 bytes of garbage
- into the next WQE in the slave EQ -- which did NOT include the ownership
- bit (and therefore had no impact).
-
- However, once the stride is increased to 128, we are overwriting the
- ownership bits of *three* eqes in the slave_eq struct. This results
- in an incorrect ownership bit for those eqes, which causes the eq to
- seem to be full. The issue therefore surfaced only once 128-byte EQEs
- started being used in SRIOV and (overarchitectures that have 128/256
- byte cache-lines such as PPC) - e.g after commit 77507aa249ae
- "net/mlx4_core: Enable CQE/EQE stride support".
-
- Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support')
- Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
- Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
- Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +-
- drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 811ab3b52935612def289efa5e9e2aa973f16f26
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Wed Oct 28 13:21:04 2015 +0100
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
- ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
-
- Raw sockets with hdrincl enabled can insert ipv6 extension headers
- right into the data stream. In case we need to fragment those packets,
- we reparse the options header to find the place where we can insert
- the fragment header. If the extension headers exceed the link's MTU we
- actually cannot make progress in such a case.
-
- Instead of ending up in broken arithmetic or rounding towards 0 and
- entering an endless loop in ip6_fragment, just prevent those cases by
- aborting early and signal -EMSGSIZE to user space.
-
- This is the second version of the patch which doesn't use the
- overflow_usub function, which got reverted for now.
-
- Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Fix another compiler warning
- net/ipv6/ip6_output.c | 2 ++
+ net/ipv4/tcp_input.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
-commit f074980442c7c3ff4a75c711ff18204dfb4131b8
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 18:19:02 2015 -0400
+Date: Sat Feb 6 11:16:12 2016 -0500
- Revert "ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues"
-
- This reverts commit 18d5034650b637ec479f41d98e3912398b3e3efc.
+ Fix two compiler warnings
- net/ipv6/ip6_output.c | 6 +-----
- 1 files changed, 1 insertions(+), 5 deletions(-)
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
-commit 53e629c2d13ed09f4c889925482606f82a65bd1d
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 18:18:55 2015 -0400
+Date: Wed Feb 3 21:22:40 2016 -0500
- Revert "overflow-arith: begin to add support for overflow builtin functions"
-
- This reverts commit cfd0008de8db38841f7f06b979482900994717b9.
-
- Conflicts:
-
- include/linux/compiler-gcc.h
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
- include/linux/compiler-gcc.h | 4 ----
- include/linux/overflow-arith.h | 18 ------------------
- 2 files changed, 0 insertions(+), 22 deletions(-)
+ arch/x86/mm/numa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 225122602b5b7fd58ec5c2a4a1a4a9a29fe7a02a
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 09:00:11 2015 -0400
-
- Update size_overflow plugin
+Date: Wed Feb 3 21:20:58 2016 -0500
- .../size_overflow_plugin/intentional_overflow.c | 3 +++
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 2 files changed, 4 insertions(+), 1 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 2bf85cb1c3df45d59d8b59aeacf63cbbee360175
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 29 08:52:07 2015 -0400
-
- Temporarily disable the builtin_overflow again as the kernexec plugin also has problems with it
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
- include/linux/compiler-gcc.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit a41c8c4d880b6005e874bf5440e24713da8483cd
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 28 19:28:30 2015 -0400
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
- temporarily work around issue with the dynamic FPU state and lazy FPU mode
- upstream configures FPU mode based on the eagerfpu variable before it's ever actually
- set by the commandline parser (so eagerfpu= on the commandline has no effect)
+ x86/mm: Fix types used in pgprot cacheability flags translations
+
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
+
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
- arch/x86/kernel/fpu/init.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
-commit 8452f9d5cfabda9228496050a16bc8728c0ebbb7
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 28 19:25:55 2015 -0400
-
- Remove/reorder some code due to the reverting of the FPU-state-in-task_struct code
+Date: Sun Jan 31 15:06:25 2016 -0500
- arch/x86/include/asm/fpu/types.h | 69 ++++++++++++++++++--------------------
- arch/x86/include/asm/processor.h | 10 ++----
- arch/x86/kernel/fpu/init.c | 20 -----------
- include/linux/sched.h | 4 +-
- 4 files changed, 38 insertions(+), 65 deletions(-)
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
-commit c2127bd4215f8f02a1391bef3bde55d0bb1c19bc
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 23:38:11 2015 -0400
-
- fix typo
+Date: Sun Jan 31 15:02:55 2016 -0500
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Merge branch 'linux-4.3.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
-commit c588def7b5713c31fef2b848bfebf0d727791b82
+commit 682d6611d75542e351c973c8dd74a99d3966c073
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 21:09:04 2015 -0400
+Date: Sat Jan 30 13:05:03 2016 -0500
- remove the PAGE_SIZE padding from fpregs_state since it's not included as part
- of the task struct
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
- arch/x86/include/asm/fpu/types.h | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
-commit 3bd1e5915353fee1f347577f0e80d925910695f9
-Author: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon Oct 19 18:23:57 2015 +0800
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
- crypto: api - Only abort operations on fatal signal
-
- Currently a number of Crypto API operations may fail when a signal
- occurs. This causes nasty problems as the caller of those operations
- are often not in a good position to restart the operation.
+ seccomp: always propagate NO_NEW_PRIVS on tsync
- In fact there is currently no need for those operations to be
- interrupted by user signals at all. All we need is for them to
- be killable.
-
- This patch replaces the relevant calls of signal_pending with
- fatal_signal_pending, and wait_for_completion_interruptible with
- wait_for_completion_killable, respectively.
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
+ Signed-off-by: Jann Horn <jann@thejh.net>
Cc: stable@vger.kernel.org
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: Kees Cook <keescook@chromium.org>
- crypto/ablkcipher.c | 2 +-
- crypto/algapi.c | 2 +-
- crypto/api.c | 6 +++---
- crypto/crypto_user.c | 2 +-
- 4 files changed, 6 insertions(+), 6 deletions(-)
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
-commit 2b278f02de77bd3d0ffb4c64bc56b702d4e27e49
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 18:02:42 2015 -0400
-
- Update a comment
-
- arch/x86/include/asm/fpu/internal.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit 66cbab70d87485c22946485bfd375c3e88140213
-Merge: cad84c5 8610c94
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 07:44:23 2015 -0400
+Date: Fri Jan 29 20:54:13 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit 8610c949a76ac2a09b334f41c35cb8e7a04a0ce8
-Merge: a851b41 f69d603
+commit d14af1f1dd66511f3f0674deee2b572972012b39
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 27 07:44:14 2015 -0400
+Date: Fri Jan 29 20:53:51 2016 -0500
- Merge branch 'linux-4.2.y' into pax-test
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
-commit cad84c52f547c8ba47ddcf39d1f260f55350f0c2
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:33:21 2015 -0400
+Date: Wed Jan 27 17:57:21 2016 -0500
- re-enable builtin_overflow support
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
- include/linux/compiler-gcc.h | 3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
-commit 6e281aebbf456c27ce530055d5668bc5829c02a8
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:32:15 2015 -0400
+commit 70636c6ad60fc1db3af764ecc789b827b7497a97
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Wed Jan 6 12:42:38 2016 -0800
- Update the size_overflow plugin from Emese to fix the ICE on builtin_overflow use
+ tcp: fix zero cwnd in tcp_cwnd_reduction
+
+ Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
+ conditionally") introduced a bug that cwnd may become 0 when both
+ inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
+ to a div-by-zero if the connection starts another cwnd reduction
+ phase by setting tp->prior_cwnd to the current cwnd (0) in
+ tcp_init_cwnd_reduction().
+
+ To prevent this we skip PRR operation when nothing is acked or
+ sacked. Then cwnd must be positive in all cases as long as ssthresh
+ is positive:
+
+ 1) The proportional reduction mode
+ inflight > ssthresh > 0
+
+ 2) The reduction bound mode
+ a) inflight == ssthresh > 0
+
+ b) inflight < ssthresh
+ sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
+
+ Therefore in all cases inflight and sndcnt can not both be 0.
+ We check invalid tp->prior_cwnd to avoid potential div0 bugs.
+
+ In reality this bug is triggered only with a sequence of less common
+ events. For example, the connection is terminating an ECN-triggered
+ cwnd reduction with an inflight 0, then it receives reordered/old
+ ACKs or DSACKs from prior transmission (which acks nothing). Or the
+ connection is in fast recovery stage that marks everything lost,
+ but fails to retransmit due to local issues, then receives data
+ packets from other end which acks nothing.
+
+ Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
+ Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 ++-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
+ net/ipv4/tcp_input.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
-commit 75ed97df02fc6eb862df511da6ca690de3d0f15c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 26 07:17:00 2015 -0400
+commit dac1da2bedbb43195d371c7a192cfeeb45683df0
+Author: Eric Dumazet <edumazet@google.com>
+Date: Sun Jan 24 13:53:50 2016 -0800
- Fix from Emese for a size_overflow report in the fbcon code on the
- 'softback_lines' global variable
+ af_unix: fix struct pid memory leak
+
+ Dmitry reported a struct pid leak detected by a syzkaller program.
+
+ Bug happens in unix_stream_recvmsg() when we break the loop when a
+ signal is pending, without properly releasing scm.
+
+ Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/video/console/fbcon.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit b088cabd42c6fe825baa27f40ab450ad75e571d3
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 18:09:55 2015 -0400
+commit 15cc47f127520d1ac0c1fe76d993c2c27f0f2571
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jan 22 01:39:43 2016 +0100
- Temporarily work around an ICE on GCC >= 5 reported by Daniel Micay due to
- backporting of __builtin_usub_overflow
+ pptp: fix illegal memory access caused by multiple bind()s
+
+ Several times already this has been reported as kasan reports caused by
+ syzkaller and trinity and people always looked at RCU races, but it is
+ much more simple. :)
+
+ In case we bind a pptp socket multiple times, we simply add it to
+ the callid_sock list but don't remove the old binding. Thus the old
+ socket stays in the bucket with unused call_id indexes and doesn't get
+ cleaned up. This causes various forms of kasan reports which were hard
+ to pinpoint.
+
+ Simply don't allow multiple binds and correct error handling in
+ pptp_bind. Also keep sk_state bits in place in pptp_connect.
+
+ Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Cc: Sasha Levin <sasha.levin@oracle.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dave Jones <davej@codemonkey.org.uk>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- include/linux/compiler-gcc.h | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
-commit ba858f46865c6751af3ddba03b176e4d5ecf85c1
+commit e2b7b8c66851c85188fa6dab2d2b2a6c85bc7332
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 17:59:17 2015 -0400
+Date: Tue Jan 26 18:17:10 2016 -0500
- Update size_overflow hash table
+ Add info about cpupower/powertop to GRKERNSEC_KMEM, was present on our
+ wiki but was removed from the config help at some point
- .../disable_size_overflow_hash.data | 7 +++++++
- .../size_overflow_plugin/size_overflow_hash.data | 9 +--------
- 2 files changed, 8 insertions(+), 8 deletions(-)
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
-commit ba803bceaea0283b38e91c1d3176bf0671786269
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 15:31:17 2015 -0400
+commit ce2e88efa000fc32bfcd84098f57c8ed8310fefc
+Author: Thomas Egerer <hakke_007@gmx.de>
+Date: Mon Jan 25 12:58:44 2016 +0100
- Fix oversight in pipacs' removal of FPU state from the task struct:
- fpu_copy was performing an OOB copy starting from the address of the 'state'
- pointer in the fpu struct instead of starting from the address pointed
- to by the state pointer. Reported at:
- https://bugs.archlinux.org/task/46764
+ ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
+
+ The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
+ to select CRYPTO_ECHAINIV in order to work properly. This solves the
+ issues caused by a misconfiguration as described in [1].
+ The original approach, patching crypto/Kconfig was turned down by
+ Herbert Xu [2].
+
+ [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
+ [2] http://marc.info/?l=linux-crypto-vger&m=145224655809562&w=2
+
+ Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/x86/include/asm/fpu/internal.h | 4 ++--
- arch/x86/kernel/fpu/core.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
+ net/ipv4/Kconfig | 1 +
+ net/ipv6/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
-commit 26e7d31c5b5c970c50297d2b8be165e9c9ab9d83
-Merge: 85d8735 a851b41
+commit fca5a303155ea67d28aece0caf2b03ffc3b2668d
+Merge: 904114c 6339c1f
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:39:21 2015 -0400
+Date: Tue Jan 26 18:08:40 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit a851b41415a0402d76f10712b6950ddff3872a22
+commit 6339c1f9a9beafd417bf9f04d4b257e62aeb45b7
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:38:25 2015 -0400
+Date: Tue Jan 26 18:07:51 2016 -0500
- Update to latest size_overflow plugin release:
- Temporarily ignore bitfield types: https://bugs.archlinux.org/task/46798
- Use SI or wider type for the size_overflow type: https://forums.grsecurity.net/viewtopic.php?t=4293&p=15655#p15655
+ Update to pax-linux-4.3.4-test25.patch:
+ - fixed incorrect handling of VM_DONTCOPY during fork that would trigger a consistency check in the vma mirroring logic, reported by Mathias Krause <minipli@googlemail.com>
+ - fixed init_new_context on !MODIFY_LDT_SYSCALL configs, reported by tjh (https://forums.grsecurity.net/viewtopic.php?f=3&t=4368)
+ - fixed a few REFCOUNT false positives in SNMP related statistics
- .../size_overflow_plugin/intentional_overflow.c | 3 +++
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 7 +++++++
- .../size_overflow_transform_core.c | 2 --
- 4 files changed, 11 insertions(+), 3 deletions(-)
+ arch/x86/Kconfig | 2 +-
+ arch/x86/include/asm/mmu_context.h | 17 +++++++++++++++++
+ include/net/snmp.h | 10 +++++-----
+ kernel/fork.c | 11 +++++++++--
+ net/ipv4/proc.c | 8 ++++----
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/proc.c | 10 +++++-----
+ 7 files changed, 43 insertions(+), 19 deletions(-)
-commit 85d8735a1d1190e3ad2e3f032ae88f811090fdfc
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 13:01:32 2015 -0400
+commit 904114c2fce3fdff5d57e763da56a78960db4e19
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Jan 22 18:08:52 2016 -0500
- fpu doesn't live on the task_struct with PaX, so don't even bother computing some task_size
- variable that isn't used for anything
+ make sure that freeing shmem fast symlinks is RCU-delayed
+
+ Cc: stable@vger.kernel.org # v4.2+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- arch/x86/kernel/fpu/init.c | 14 --------------
- 1 files changed, 0 insertions(+), 14 deletions(-)
+ include/linux/shmem_fs.h | 5 +----
+ mm/shmem.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 9 deletions(-)
-commit cfd0008de8db38841f7f06b979482900994717b9
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri Oct 16 11:32:42 2015 +0200
+commit ab86adee64312a2f827dd516cb199521327943ed
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon Jan 18 19:23:51 2016 -0500
- overflow-arith: begin to add support for overflow builtin functions
-
- The idea of the overflow-arith.h header is to collect overflow checking
- functions in one central place.
+ netfilter: nf_conntrack: use safer way to lock all buckets
- If gcc compiler supports the __builtin_overflow_* builtins we use them
- because they might give better performance, otherwise the code falls
- back to normal overflow checking functions.
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
- The builtin_overflow functions are supported by gcc-5 and clang. The
- matter of supporting clang is to just provide a corresponding
- CC_HAVE_BUILTIN_OVERFLOW, because the specific overflow checking builtins
- don't differ between gcc and clang.
-
- I just provide overflow_usub function here as I intend this to get merged
- into net, more functions will definitely follow as they are needed.
-
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- include/linux/compiler-gcc.h | 4 ++++
- include/linux/overflow-arith.h | 18 ++++++++++++++++++
- 2 files changed, 22 insertions(+), 0 deletions(-)
-
-commit 18d5034650b637ec479f41d98e3912398b3e3efc
-Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri Oct 16 11:32:43 2015 +0200
-
- ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
- Raw sockets with hdrincl enabled can insert ipv6 extension headers
- right into the data stream. In case we need to fragment those packets,
- we reparse the options header to find the place where we can insert
- the fragment header. If the extension headers exceed the link's MTU we
- actually cannot make progress in such a case.
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- Instead of ending up in broken arithmetic or rounding towards 0 and
- entering an endless loop in ip6_fragment, just prevent those cases by
- aborting early and signal -EMSGSIZE to user space.
+ Conflicts:
- Reported-by: Dmitry Vyukov <dvyukov@google.com>
- Cc: Dmitry Vyukov <dvyukov@google.com>
- Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- net/ipv6/ip6_output.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
-commit 0e1d1c0f1981b4049a70d23dce4c69daf19f020b
-Merge: c81314c 9470e78
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 11:51:44 2015 -0400
+Date: Sat Jan 23 10:57:11 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit 9470e7893a9a1bf15f9b7d412dc09bebb59105e8
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 25 11:50:54 2015 -0400
-
- Temporary squelching of overflow warning on skb_transport_offset(), will be fixed properly after H2HC
+Date: Sat Jan 23 10:56:47 2016 -0500
- include/linux/skbuff.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Merge branch 'linux-4.3.y' into pax-test
-commit c81314ce278e9cfa3322881a6133c2c7e53b9430
+commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 23:13:36 2015 -0400
-
- Update recordmcount/fixdep paths in RPM spec, from Andrew
-
- scripts/package/mkspec | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-commit 798e4296bd55778b5e77f1db69c1bb972419590f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 23:11:22 2015 -0400
+Date: Tue Jan 19 21:18:47 2016 -0500
Update size_overflow hash table
- .../disable_size_overflow_hash.data | 3 +++
- .../size_overflow_plugin/size_overflow_hash.data | 5 +----
- 2 files changed, 4 insertions(+), 4 deletions(-)
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
-commit d9ef04f20fc634595883d1c1950c32a8fe04df22
+commit 7e649765626a28437f573f0fbe7a51a04615f041
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 24 08:27:29 2015 -0400
-
- Fix from Emese for https://forums.grsecurity.net/viewtopic.php?f=3&t=4291
+Date: Tue Jan 19 20:29:46 2016 -0500
- drivers/usb/class/cdc-acm.h | 2 +-
- include/linux/usb.h | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-commit eea46f1d247f5f63e3762da91a41cba76567800f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 23 18:24:57 2015 -0400
+ Backport fix from: https://lkml.org/lkml/2015/12/13/187
- Update size_overflow hash tables
-
- .../disable_size_overflow_hash.data | 5 ++++-
- .../size_overflow_plugin/size_overflow_hash.data | 5 +----
- 2 files changed, 5 insertions(+), 5 deletions(-)
+ fs/ext4/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 8f521b864bd7428f3ad42613416c106d1d619c4d
-Merge: 26adf00 285f0d1
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 22 19:41:57 2015 -0400
+commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:30 2016 +0100
- Merge branch 'pax-test' into grsec-test
+ compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
+
+ This replaces all code in fs/compat_ioctl.c that translated
+ ioctl arguments into a in-kernel structure, then performed
+ do_ioctl under set_fs(KERNEL_DS), with code that allocates
+ data on the user stack and can call the VFS ioctl handler
+ under USER_DS.
+
+ This is done as a hardening measure because the caller
+ does not know what kind of ioctl handler will be invoked,
+ only that no corresponding compat_ioctl handler exists and
+ what the ioctl command number is. The accidental
+ invocation of an unlocked_ioctl handler that unexpectedly
+ calls copy_to_user could be a severe security issue.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Conflicts:
- drivers/gpu/drm/drm_lock.c
+
+ fs/compat_ioctl.c
-commit 285f0d1cda31b45ee217b90861677c032cb6550b
-Merge: d6dc25f 190bd21
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 22 19:40:34 2015 -0400
+ fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 68 insertions(+), 62 deletions(-)
+
+commit 3e89e770ae27e931cd1583f021abac41eeebc3e7
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Jan 7 09:53:30 2016 -0500
- Merge branch 'linux-4.2.y' into pax-test
+ compat_ioctl: don't pass fd around when not needed
- Conflicts:
- arch/x86/kernel/process_64.c
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-commit 26adf00caf8f4ebf155422082d4e8b8e4eb60eef
-Author: Eric W. Biederman <ebiederm@xmission.com>
-Date: Sat Aug 15 13:36:12 2015 -0500
+ fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++--------------------------
+ fs/internal.h | 7 ++++
+ fs/ioctl.c | 4 +-
+ include/linux/fs.h | 2 -
+ 4 files changed, 61 insertions(+), 55 deletions(-)
- dcache: Handle escaped paths in prepend_path
-
- A rename can result in a dentry that by walking up d_parent
- will never reach it's mnt_root. For lack of a better term
- I call this an escaped path.
+commit 9d4e04082752d4d2d68445c4e6faf33a2613df55
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:29 2016 +0100
+
+ compat_ioctl: don't look up the fd twice
- prepend_path is called by four different functions __d_path,
- d_absolute_path, d_path, and getcwd.
+ In code in fs/compat_ioctl.c that translates ioctl arguments
+ into a in-kernel structure, then performs sys_ioctl, possibly
+ under set_fs(KERNEL_DS), this commit changes the sys_ioctl
+ calls to do_ioctl calls. do_ioctl is a new function that does
+ the same thing as sys_ioctl, but doesn't look up the fd again.
- __d_path only wants to see paths are connected to the root it passes
- in. So __d_path needs prepend_path to return an error.
+ This change is made to avoid (potential) security issues
+ because of ioctl handlers that accept one of the ioctl
+ commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
+ TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
+ This can happen for multiple reasons:
- d_absolute_path similarly wants to see paths that are connected to
- some root. Escaped paths are not connected to any mnt_root so
- d_absolute_path needs prepend_path to return an error greater
- than 1. So escaped paths will be treated like paths on lazily
- unmounted mounts.
+ - The ioctl command number could be reused.
+ - The ioctl handler might not check the full ioctl
+ command. This is e.g. true for drm_ioctl.
+ - The ioctl handler is very special, e.g. cuse_file_ioctl
- getcwd needs to prepend "(unreachable)" so getcwd also needs
- prepend_path to return an error.
+ The real issue is that set_fs(KERNEL_DS) is used here,
+ but that's fixed in a separate commit
+ "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
- d_path is the interesting hold out. d_path just wants to print
- something, and does not care about the weird cases. Which raises
- the question what should be printed?
+ This change mitigates potential security issues by
+ preventing a race that permits invocation of
+ unlocked_ioctl handlers under KERNEL_DS through compat
+ code even if a corresponding compat_ioctl handler exists.
- Given that <escaped_path>/<anything> should result in -ENOENT I
- believe it is desirable for escaped paths to be printed as empty
- paths. As there are not really any meaninful path components when
- considered from the perspective of a mount tree.
+ So far, no way has been identified to use this to damage
+ kernel memory without having CAP_SYS_ADMIN in the init ns
+ (with the capability, doing reads/writes at arbitrary
+ kernel addresses should be easy through CUSE's ioctl
+ handler with FUSE_IOCTL_UNRESTRICTED set).
- So tweak prepend_path to return an empty path with an new error
- code of 3 when it encounters an escaped path.
+ [AV: two missed sys_ioctl() taken care of]
- Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- fs/dcache.c | 7 +++++++
- 1 files changed, 7 insertions(+), 0 deletions(-)
+ fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 68 insertions(+), 54 deletions(-)
-commit d402147a7689356c29bfd46a7cfa6594e517ab95
-Author: Salva Peiró <speirofr@gmail.com>
-Date: Wed Oct 14 17:48:02 2015 +0200
+commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c
+Author: Vasily Kulikov <segoon@openwall.com>
+Date: Fri Jan 15 16:57:55 2016 -0800
- staging/dgnc: fix info leak in ioctl
+ include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers
+
+ TIMER_ENTRY_STATIC is defined as a poison pointers which
+ should point to nowhere. Redefine them using POISON_POINTER_DELTA
+ arithmetics to make sure they really point to non-mappable area declared
+ by the target architecture.
+
+ Signed-off-by: Vasily Kulikov <segoon@openwall.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Solar Designer <solar@openwall.com>
+ Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
- struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
- memset(0) before filling the structure to avoid the info leak.
+ Conflicts:
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ include/linux/poison.h
- drivers/staging/dgnc/dgnc_mgmt.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ include/linux/poison.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit bafc510c4fb4e8a5e69531fdc3a733e58c4bbdbf
-Author: Salva Peiró <speirofr@gmail.com>
-Date: Wed Oct 7 07:09:26 2015 -0300
+commit 60f2e0a05ab8f56c804a9334a23e2b446305d110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:41:44 2016 -0500
- [media] media/vivid-osd: fix info leak in ioctl
-
- The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
- struct fb_vblank after the ->hcount member. Add an explicit
- memset(0) before filling the structure to avoid the info leak.
-
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
- Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
- Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+ Fix ARM compilation, reported by Austin Sepp
- drivers/media/platform/vivid/vivid-osd.c | 1 +
+ grsecurity/grsec_sig.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
-commit 980a903796ae06366fd5acbcd179ee2dc57fbabf
-Author: David Howells <dhowells@redhat.com>
-Date: Mon Oct 19 11:20:28 2015 +0100
+commit e15383743443dc43460a2fd73e0db0b608610dca
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Mon Jan 18 13:52:47 2016 +0100
- KEYS: Don't permit request_key() to construct a new keyring
+ ALSA: hrtimer: Fix stall by hrtimer_cancel()
- If request_key() is used to find a keyring, only do the search part - don't
- do the construction part if the keyring was not found by the search. We
- don't really want keyrings in the negative instantiated state since the
- rejected/negative instantiation error value in the payload is unioned with
- keyring metadata.
+ hrtimer_cancel() waits for the completion from the callback, thus it
+ must not be called inside the callback itself. This was already a
+ problem in the past with ALSA hrtimer driver, and the early commit
+ [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
- Now the kernel gives an error:
+ However, the previous fix is still insufficient: it may still cause a
+ lockup when the ALSA timer instance reprograms itself in its callback.
+ Then it invokes the start function even in snd_timer_interrupt() that
+ is called in hrtimer callback itself, results in a CPU stall. This is
+ no hypothetical problem but actually triggered by syzkaller fuzzer.
- request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
+ This patch tries to fix the issue again. Now we call
+ hrtimer_try_to_cancel() at both start and stop functions so that it
+ won't fall into a deadlock, yet giving some chance to cancel the queue
+ if the functions have been called outside the callback. The proper
+ hrtimer_cancel() is called in anyway at closing, so this should be
+ enough.
- Signed-off-by: David Howells <dhowells@redhat.com>
+ Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- security/keys/request_key.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ sound/core/hrtimer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit f705c157ed6f8a9c4c0cf552fd5f054d9d500550
-Author: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon Oct 19 13:16:49 2015 +0300
+commit 12d874daf706e6e7c1ae709141859c809599297e
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 12:38:02 2016 +0100
- irda: precedence bug in irlmp_seq_hb_idx()
+ ALSA: seq: Fix missing NULL check at remove_events ioctl
- This is decrementing the pointer, instead of the value stored in the
- pointer. KASan detects it as an out of bounds reference.
+ snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+ unconditionally even if there is no FIFO assigned, and this leads to
+ an Oops due to NULL dereference. The fix is just to add a proper NULL
+ check.
- Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
- Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- net/irda/irlmp.c | 2 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 4a110451298bfce895ed224e6bbd9201d8605b2b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:25:13 2015 -0400
+commit 2eb0632df1351378946507e7ef7ba0682632a7b5
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 15:36:27 2016 +0100
- Ratelimit the dump_stack as well, both to 15s with a burst of 3, enough not to completely
- flood syslog
+ ALSA: seq: Fix race at timer setup and close
+
+ ALSA sequencer code has an open race between the timer setup ioctl and
+ the close of the client. This was triggered by syzkaller fuzzer, and
+ a use-after-free was caught there as a result.
+
+ This patch papers over it by adding a proper queue->timer_mutex lock
+ around the timer-related calls in the relevant code path.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- fs/exec.c | 11 +++++++++--
- 1 files changed, 9 insertions(+), 2 deletions(-)
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
-commit 183fc2ae7d90e077fd27623998d82916260a2223
-Merge: a240939 d6dc25f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:16:04 2015 -0400
+commit b9e55ab955e59b4a636d78a748be90334a48b485
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Jan 14 16:30:58 2016 +0100
- Merge branch 'pax-test' into grsec-test
+ ALSA: timer: Harden slave timer list handling
- Conflicts:
- tools/gcc/size_overflow_plugin/size_overflow_plugin.c
+ A slave timer instance might be still accessible in a racy way while
+ operating the master instance as it lacks of locking. Since the
+ master operation is mostly protected with timer->lock, we should cope
+ with it while changing the slave instance, too. Also, some linked
+ lists (active_list and ack_list) of slave instances aren't unlinked
+ immediately at stopping or closing, and this may lead to unexpected
+ accesses.
+
+ This patch tries to address these issues. It adds spin lock of
+ timer->lock (either from master or slave, which is equivalent) in a
+ few places. For avoiding a deadlock, we ensure that the global
+ slave_active_lock is always locked at first before each timer lock.
+
+ Also, ack and active_list of slave instances are properly unlinked at
+ snd_timer_stop() and snd_timer_close().
+
+ Last but not least, remove the superfluous call of _snd_timer_stop()
+ at removing slave links. This is a noop, and calling it may confuse
+ readers wrt locking. Further cleanup will follow in a later patch.
+
+ Actually we've got reports of use-after-free by syzkaller fuzzer, and
+ this hopefully fixes these issues.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
-commit d6dc25f193a832e08d8e7cf097d7f70b3dc24776
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 19:14:41 2015 -0400
-
- Update to pax-linux-4.2.3-test16.patch:
- - fixed undefined integer shift in proc_do_submiturb, reported by Arnaud <arnaud@drno.eu>
- - fixed integer underflow in scm_detach_fds (similar to 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 upstream), reported by kdave (https://forums.grsecurity.net/viewtopic.php?f=1&t=4286)
- - Emese added a temporary workaround for miscompiling the ath10k driver, reported by victor
- - Emese fixed a false positive that affected the iwlwifi driver among others, reported by victor
- - Emese disabled size overflow checking in acpi_ex_do_math_op and on acpi_object_integer, reported by xxterry1xx and rfnx (https://forums.grsecurity.net/viewtopic.php?f=3&t=4287)
-
- drivers/net/wireless/ath/ath10k/ce.c | 2 +-
- drivers/usb/core/devio.c | 2 +-
- fs/dlm/lowcomms.c | 2 +-
- net/core/scm.c | 6 ++-
- .../disable_size_overflow_hash.data | 4 +-
- .../size_overflow_plugin/intentional_overflow.c | 44 --------------------
- tools/gcc/size_overflow_plugin/size_overflow.h | 1 -
- .../size_overflow_plugin/size_overflow_hash.data | 4 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
- .../size_overflow_plugin/size_overflow_transform.c | 3 -
- .../size_overflow_transform_core.c | 6 +++
- 11 files changed, 19 insertions(+), 59 deletions(-)
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 files changed, 14 insertions(+), 4 deletions(-)
-commit a2409394c2b0d97a9f02bf62ca4c0254602e58a6
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 08:58:25 2015 -0400
+commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 17:48:01 2016 +0100
+
+ ALSA: timer: Fix race among timer ioctls
+
+ ALSA timer ioctls have an open race and this may lead to a
+ use-after-free of timer instance object. A simplistic fix is to make
+ each ioctl exclusive. We have already tread_sem for controlling the
+ tread, and extend this as a global mutex to be applied to each ioctl.
+
+ The downside is, of course, the worse concurrency. But these ioctls
+ aren't to be parallel accessible, in anyway, so it should be fine to
+ serialize there.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- set default to y
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 files changed, 19 insertions(+), 13 deletions(-)
- security/Kconfig | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 21:35:06 2016 +0100
-commit 3abe24117389419654da44adc87a9a03ad7e3f38
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 20 08:08:32 2015 -0400
+ ALSA: timer: Fix double unlink of active_list
+
+ ALSA timer instance object has a couple of linked lists and they are
+ unlinked unconditionally at snd_timer_stop(). Meanwhile
+ snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+ the element list itself unchanged. This ends up with unlinking twice,
+ and it was caught by syzkaller fuzzer.
+
+ The fix is to use list_del_init() variant properly there, too.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- Add a new config option from Emese to allow SIZE_OVERFLOW to be enabled
- while having it not kill the userland process in an overflow condition.
- This will help us obtain reports over the next few weeks while not making
- some percentage of users' machines unusable.
+ sound/core/timer.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 18 18:03:48 2016 +0100
+
+ ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack
+
+ It was seen that defective configurations of openvswitch could overwrite
+ the STACK_END_MAGIC and cause a hard crash of the kernel because of too
+ many recursions within ovs.
+
+ This problem arises due to the high stack usage of openvswitch. The rest
+ of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
+
+ We use the already existing recursion counter in ovs_execute_actions to
+ implement an upper bound of 5 recursions.
- To enable this option, set CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y in .config
+ Cc: Pravin Shelar <pshelar@ovn.org>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- fs/exec.c | 5 +++++
- security/Kconfig | 4 ++++
- .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
- 3 files changed, 11 insertions(+), 2 deletions(-)
+ net/openvswitch/actions.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
-commit bcae982f720ce0b3463a81f2b72a4807cb89048b
-Merge: 0e55d80 128d3a5
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 19 18:56:09 2015 -0400
+commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96
+Author: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue Jan 19 10:41:33 2016 +0100
- Merge branch 'pax-test' into grsec-test
+ af_iucv: Validate socket address length in iucv_sock_bind()
+
+ Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Evgeny Cherkashin <Eugene.Crosser@ru.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/iucv/af_iucv.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
-commit 128d3a5452ab001b29235b05eb0be3334fff3998
+commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 19 18:55:37 2015 -0400
+Date: Tue Jan 19 19:32:54 2016 -0500
- Update to pax-linux-4.2.3-test14.patch:
- - Emese fixed a false positive size overflow report, reported by gus (https://forums.grsecurity.net/viewtopic.php?t=4280)
- - fixed an integer sign mixup in usb_stor_invoke_transport, reported by Arnaud <arnaud@drno.eu>
+ Apply the same fix as everyone else for the recent keys vulnerability that is
+ unexploitable under PAX_REFCOUNT
+
+ Make a couple more changes that no one else can/will
- drivers/usb/storage/transport.c | 2 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 15 +++-
- .../size_overflow_transform_core.c | 90 ++++++++++++++-----
- 4 files changed, 81 insertions(+), 28 deletions(-)
+ include/linux/key-type.h | 4 ++--
+ ipc/msgutil.c | 4 ++--
+ security/keys/internal.h | 2 +-
+ security/keys/process_keys.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
-commit 0e55d80a65998266cab71804131a072fcc8ee558
-Merge: a61fd15 9c4310f
+commit b56c3a63f431c193400aee17543021950bd14bc4
+Merge: 38b1a3d 470069c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 23:15:36 2015 -0400
+Date: Sun Jan 17 18:30:19 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit 9c4310fdb2d19f83affc62eb2698d3763ce8c36b
+commit 470069cfedef2180313233d275be5901bd6d1135
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 23:15:13 2015 -0400
-
- Update to pax-linux-4.2.3-test14.patch:
- - reverted some page table hardening that caused too much slowdown under virtualization, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
-
- arch/x86/include/asm/pgtable-2level.h | 18 ++----------------
- arch/x86/include/asm/pgtable-3level.h | 10 ----------
- arch/x86/include/asm/pgtable_32.h | 2 ++
- arch/x86/include/asm/pgtable_64.h | 18 ++----------------
- arch/x86/mm/highmem_32.c | 2 ++
- arch/x86/mm/init_64.c | 2 ++
- arch/x86/mm/iomap_32.c | 4 ++++
- arch/x86/mm/pageattr.c | 4 ++++
- arch/x86/mm/pgtable.c | 2 ++
- arch/x86/mm/pgtable_32.c | 3 +++
- mm/highmem.c | 5 +++++
- mm/vmalloc.c | 7 +++++++
- 12 files changed, 35 insertions(+), 42 deletions(-)
-
-commit a61fd152e87bd3ed91194b07f6b1fcbcd165093b
-Merge: 00f1afa db7a8e5
+Date: Sun Jan 17 18:29:59 2016 -0500
+
+ Update to pax-linux-4.3.3-test22.patch:
+ - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey
+ - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++----------
+ drivers/gpu/drm/drm_pci.c | 3 +++
+ drivers/gpu/drm/gma500/psb_drv.c | 4 ----
+ drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++--------
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++---
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +---
+ drivers/net/usb/asix_common.c | 3 ++-
+ include/drm/drmP.h | 1 +
+ 8 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 38b1a3d676f407865c3d41840df8213c5ad639c1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 18:33:48 2015 -0400
+Date: Sun Jan 17 12:33:53 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE
+ mentioned banning execution of suid/sgid binaries, though the kernel
+ source clearly only mentions banning execution of suid binaries. Since
+ there's no reason for us to not ban execution of sgid binaries as well,
+ make the implementation match the Kconfig description.
-commit db7a8e5c284179889014b5929a40298e1b228fbc
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 18:33:22 2015 -0400
+ fs/exec.c | 4 ++--
+ grsecurity/grsec_sig.c | 27 ++++++++++++++-------------
+ include/linux/sched.h | 4 ++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
- Update to pax-linux-4.2.3-test13.patch:
- - Emese worked around a sign mixup with wiphy.rts_threshold, reported by gus (https://forums.grsecurity.net/viewtopic.php?f=3&t=4278)
+commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace
+Merge: d141a86 ea4a835
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:12:22 2016 -0500
- .../disable_size_overflow_hash.data | 2 ++
- .../size_overflow_plugin/size_overflow_hash.data | 2 --
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpu/drm/i810/i810_drv.c
-commit 00f1afa694317365e9bd6dc77d2e3e96ae3a68ec
-Merge: 7098385 57dc21d
+commit ea4a835328ada6513ac013986764d6caea8cd348
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 11:04:56 2015 -0400
+Date: Sat Jan 16 14:11:30 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ Update to pax-linux-4.3.3-test21.patch:
+ - fixed some fallout from the drm_drivers constification, reported by spender
-commit 57dc21d203a9fa1312a4abc608da5b3644d29078
+ drivers/gpu/drm/armada/armada_drv.c | 3 +--
+ drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 -
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 6 +++++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+commit d141a86fd66194bc3f896b6809b189e2f12a9a83
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 17 11:04:34 2015 -0400
+Date: Sat Jan 16 13:16:36 2016 -0500
- Update to pax-linux-4.2.3-test12.patch:
- - removed size_overflow_hash.data.prev that was left behind by accident
- - Emese fixed a false positive overflow report in the megaraid driver due to a gcc limitation, reported by vortex (https://forums.grsecurity.net/viewtopic.php?f=3&t=4277)
+ compile fix
- drivers/scsi/megaraid/megaraid_sas.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 4 +++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
-commit 7098385851c43dea6692508c71cd5fbcce3187b2
-Merge: bc6d23e 78b0f64
+commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270
+Merge: 5fa135d bbda879
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:45:06 2015 -0400
+Date: Sat Jan 16 12:59:22 2016 -0500
Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- tools/gcc/size_overflow_plugin/intentional_overflow.c
-commit 78b0f643d8d2b870e8ad5df075d4ab79befa4266
+commit bbda87914edf63e27fb46670bf3a373f2b963c73
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:44:18 2015 -0400
-
- Update to pax-linux-4.2.3-test11.patch:
- - Emese fixed a few false positives caused by error codes
- - simplified the switch_mm code on x86 a bit
+Date: Sat Jan 16 12:58:04 2016 -0500
- arch/x86/include/asm/mmu_context.h | 118 +++++--------
- include/drm/drm_mm.h | 2 +-
- .../size_overflow_plugin/intentional_overflow.c | 11 +-
- tools/gcc/size_overflow_plugin/size_overflow.h | 19 ++-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 178 +++++++++-----------
- .../size_overflow_transform_core.c | 31 ++--
- 7 files changed, 169 insertions(+), 192 deletions(-)
+ Update to pax-linux-4.3.3-test20.patch:
+ - constified drm_driver
+ - Emese fixed a special case in handling __func__ in the initify plugin
+ - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048)
+ - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli
-commit bc6d23e3408e389f8a96134f6bc915e9fc8b370b
+ arch/x86/kernel/cpu/perf_event.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +-
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/mm/mpx.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/drm_pci.c | 6 +-
+ drivers/gpu/drm/gma500/psb_drv.c | 5 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.c | 15 ++--
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++----------
+ drivers/gpu/drm/mga/mga_drv.c | 5 +-
+ drivers/gpu/drm/mga/mga_drv.h | 2 +-
+ drivers/gpu/drm/mga/mga_state.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++--
+ drivers/gpu/drm/qxl/qxl_drv.c | 8 ++-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.h | 2 +-
+ drivers/gpu/drm/r128/r128_state.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 17 +++-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 2 +-
+ drivers/gpu/drm/savage/savage_bci.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 5 +-
+ drivers/gpu/drm/savage/savage_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 5 +-
+ drivers/gpu/drm/sis/sis_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_mm.c | 2 +-
+ drivers/gpu/drm/via/via_dma.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 5 +-
+ drivers/gpu/drm/via/via_drv.h | 2 +-
+ include/drm/drmP.h | 2 +-
+ mm/slab.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 6 +-
+ tools/gcc/initify_plugin.c | 15 +++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 3 +-
+ 42 files changed, 156 insertions(+), 110 deletions(-)
+
+commit 5fa135dc116350e0205c39ef65eaf6496ed2748a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 16 17:28:54 2015 -0400
+Date: Sat Jan 16 12:19:23 2016 -0500
- Update rpm devel spec, thanks to Andrew
+ compile fix
- scripts/package/mkspec | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ grsecurity/grsec_sig.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
-commit b3f30cb9207a72a6aa4a78f23f8c5353be0bb27b
+commit a9090fa58f33f75c7450fda5721a9b13625a47d9
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 20:10:56 2015 -0400
+Date: Sat Jan 16 12:10:37 2016 -0500
- disable tracing support with GRKERNSEC_KMEM (it forces debugfs support on)
+ As pointed out by Jann Horn, some distros are starting to circumvent
+ previous assumptions about the attainability of a user to control
+ multiple UIDs by handing out suid binaries that allow a user to run
+ processes (including exploits) under a number of other pre-defined
+ UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE
+ (though it would have to involve some code path that doesn't involve
+ locks) fix that here by ensuring no more than 8 users on a system can
+ be banned before a reboot is required. If more are banned, a panic
+ is triggered.
- kernel/trace/Kconfig | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ grsecurity/grsec_sig.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
-commit 82a0c12587f14add438ddf3b558e2278fcb7a387
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 19:19:43 2015 -0400
-
- Force DEBUG_FS off the hard way, since 'select' can cause it to be
- inadvertently enabled. Add a backup check that fails the build if
- GRKERNSEC_KMEM is enabled with DEBUG_FS
- Ditto for PROC_PAGE_MONITOR
-
- arch/arc/Kconfig | 1 +
- arch/arm/Kconfig.debug | 1 +
- arch/arm64/Kconfig.debug | 1 +
- arch/blackfin/Kconfig.debug | 1 +
- arch/s390/Kconfig.debug | 1 +
- arch/x86/Kconfig.debug | 2 ++
- drivers/iommu/Kconfig | 1 +
- drivers/md/bcache/Kconfig | 1 +
- drivers/net/wireless/ath/ath9k/Kconfig | 1 -
- include/linux/grsecurity.h | 6 ++++++
- init/Kconfig | 1 +
- kernel/trace/Kconfig | 2 ++
- lib/Kconfig.debug | 6 +++++-
- mm/Kconfig | 3 +++
- net/sunrpc/Kconfig | 1 +
- 15 files changed, 27 insertions(+), 2 deletions(-)
-
-commit 1b6f8fc8b8100292647638c713326776a0865705
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 17:58:59 2015 -0400
+commit a8d37776e9521c567ebff6730d49312f72435f08
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Dec 3 11:12:07 2015 -0800
- Force DEBUG_FS off in the kernel config, even having it present is a security
- risk
+ proc: add a reschedule point in proc_readfd_common()
- Conflicts:
+ User can pass an arbitrary large buffer to getdents().
- lib/Kconfig.debug
+ It is typically a 32KB buffer used by libc scandir() implementation.
+
+ When scanning /proc/{pid}/fd, we can hold cpu way too long,
+ so add a cond_resched() to be kind with other tasks.
+
+ We've seen latencies of more than 50ms on real workloads.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- lib/Kconfig.debug | 1 +
+ fs/proc/fd.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
-commit 21057fc30571f96aa46acf8922417311905d0f2b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 15 08:15:33 2015 -0400
+commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 12 20:17:08 2016 +0100
- Backport fix from: https://patchwork.kernel.org/patch/6853351/
- The debug_read_tlb() uses the sprintf() functions directly on the buffer
- allocated by buf = kmalloc(count), without taking into account the size
- of the buffer, with the consequence corrupting the heap, depending on
- the count requested by the user.
+ net: bpf: reject invalid shifts
- The patch fixes the issue replacing sprintf() by seq_printf().
+ On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
+ constant shift that can't be encoded in the immediate field of the
+ UBFM/SBFM instructions is passed to the JIT. Since these shifts
+ amounts, which are negative or >= regsize, are invalid, reject them in
+ the eBPF verifier and the classic BPF filter checker, for all
+ architectures.
- Signed-off-by: Salva Peiró <speirofr@gmail.com>
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/iommu/omap-iommu-debug.c | 26 +++++++-------------------
- drivers/iommu/omap-iommu.c | 28 +++++++++++-----------------
- drivers/iommu/omap-iommu.h | 3 +--
- 3 files changed, 19 insertions(+), 38 deletions(-)
+ kernel/bpf/verifier.c | 10 ++++++++++
+ net/core/filter.c | 5 +++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
-commit ba936d19274485bad900a69d679878a50faa50aa
-Author: Joe Perches <joe@perches.com>
-Date: Wed Oct 14 01:09:40 2015 -0700
+commit c248e115a73496625a1c64660d0eeefd67e55cbf
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri Jan 8 11:00:54 2016 -0200
- ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
+ sctp: fix use-after-free in pr_debug statement
+
+ Dmitry Vyukov reported a use-after-free in the code expanded by the
+ macro debug_post_sfx, which is caused by the use of the asoc pointer
+ after it was freed within sctp_side_effect() scope.
+
+ This patch fixes it by allowing sctp_side_effect to clear that asoc
+ pointer when the TCB is freed.
- It seems that kernel memory can leak into userspace by a
- kmalloc, ethtool_get_strings, then copy_to_user sequence.
+ As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
+ because it will trigger DELETE_TCB too on that same loop.
- Avoid this by using kcalloc to zero fill the copied buffer.
+ Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
+ but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
+ above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
- Signed-off-by: Joe Perches <joe@perches.com>
- Acked-by: Ben Hutchings <ben@decadent.org.uk>
+ The macro is already prepared to handle such NULL pointer.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/ethtool.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit bae0a8209962cede6a0d486cf2414cac1747f91b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:54:27 2015 -0400
+ net/sctp/sm_sideeffect.c | 11 ++++++-----
+ net/sctp/sm_statefuns.c | 17 ++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
- Update size_overflow hash table
+commit 395ea8a9e73e184fc14153a033000bccf4213213
+Author: willy tarreau <w@1wt.eu>
+Date: Sun Jan 10 07:54:56 2016 +0100
- .../size_overflow_plugin/size_overflow_hash.data | 53 +++++++++++++++++--
- 1 files changed, 47 insertions(+), 6 deletions(-)
+ unix: properly account for FDs passed over unix sockets
+
+ It is possible for a process to allocate and accumulate far more FDs than
+ the process' limit by sending them over a unix socket then closing them
+ to keep the process' fd count low.
+
+ This change addresses this problem by keeping track of the number of FDs
+ in flight per user and preventing non-privileged processes from having
+ more FDs in flight than their configured FD limit.
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 1d840cc98b8f9b62d3c906ae24385f79c9131e29
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:50:48 2015 -0400
+ include/linux/sched.h | 1 +
+ net/unix/af_unix.c | 24 ++++++++++++++++++++----
+ net/unix/garbage.c | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
- Update size_overflow hash table
+commit cb207ab8fbd71dcfc4a49d533aba8085012543fd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu Jan 7 14:52:43 2016 -0500
- .../size_overflow_plugin/size_overflow_hash.data | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+
+ proc_dostring() needs an initialized destination string, while the one
+ provided in proc_sctp_do_hmac_alg() contains stack garbage.
+
+ Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
+ accessing invalid memory.
+
+ Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit fca9b7af6aebd1d80f364d6d849470e917919004
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:47:21 2015 -0400
+ net/sctp/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
- Update size_overflow hash table
+commit 4014e09faf0fe9054119624ccfff1236e886b554
+Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue Nov 24 17:13:21 2015 -0500
- .../size_overflow_plugin/size_overflow_hash.data | 300 ++++++++++++++++----
- 1 files changed, 244 insertions(+), 56 deletions(-)
+ RDS: fix race condition when sending a message on unbound socket
+
+ commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
+
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
+
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
+
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Cc: David S. Miller <davem@davemloft.net>
+
+ Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
+ Conflicts:
+
+ net/rds/send.c
-commit 07cadc277ba83222698c99091c7da2c28275981f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:39:44 2015 -0400
+ net/rds/connection.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
- squelch some informational messages only used by Emese
+commit 206df8d01104344d7588d801016a281a4cd25556
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue Sep 8 10:53:40 2015 -0400
+
+ RDS: verify the underlying transport exists before creating a connection
+
+ There was no verification that an underlying transport exists when creating
+ a connection, this would cause dereferencing a NULL ptr.
+
+ It might happen on sockets that weren't properly bound before attempting to
+ send a message, which will cause a NULL ptr deref:
+
+ [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+ [135546.051270] Modules linked in:
+ [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+ [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+ [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+ [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
+ [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+ [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+ [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+ [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+ [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+ [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+ [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+ [135546.064723] Stack:
+ [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+ [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+ [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+ [135546.068629] Call Trace:
+ [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+ [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+ [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+ [135546.071981] rds_sendmsg (net/rds/send.c:1058)
+ [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+ [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+ [135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+ [135546.076349] ? __might_fault (mm/memory.c:3795)
+ [135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+ [135546.078856] SYSC_sendto (net/socket.c:1657)
+ [135546.079596] ? SYSC_connect (net/socket.c:1628)
+ [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+ [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+ [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+ [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+ [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/intentional_overflow.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+ net/rds/connection.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit 77eeeac20bde1e0ebd72efe0f7b5c52786411bc7
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 19:15:56 2015 -0400
+commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a
+Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+Date: Tue Jan 5 20:32:47 2016 -0500
- Re-enable size_overflow
+ ftrace/module: Call clean up function when module init fails early
+
+ If the module init code fails after calling ftrace_module_init() and before
+ calling do_init_module(), we can suffer from a memory leak. This is because
+ ftrace_module_init() allocates pages to store the locations that ftrace
+ hooks are placed in the module text. If do_init_module() fails, it still
+ calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of
+ the pages it allocated for the module. But if load_module() fails before
+ then, the pages allocated by ftrace_module_init() will never be freed.
+
+ Call ftrace_release_mod() on the module if load_module() fails before
+ getting to do_init_module().
+
+ Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com
+
+ Reported-by: "Qiu, PeiyangX" <peiyangx.qiu@intel.com>
+ Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()"
+ Cc: stable@vger.kernel.org # v2.6.38+
+ Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
- security/Kconfig | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ include/linux/ftrace.h | 1 +
+ kernel/module.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 0 deletions(-)
-commit cb8efa1fd63be1bbcf5e585396cc0ed562d0c624
-Merge: 913cbf6 4c48a7f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 17:14:42 2015 -0400
+commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399
+Author: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Wed Jan 6 00:18:48 2016 -0800
- Merge branch 'pax-test' into grsec-test
+ net: possible use after free in dst_release
- Conflicts:
- tools/gcc/size_overflow_plugin/size_overflow_hash.data
+ dst_release should not access dst->flags after decrementing
+ __refcnt to 0. The dst_entry may be in dst_busy_list and
+ dst_gc_task may dst_destroy it before dst_release gets a chance
+ to access dst->flags.
+
+ Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
+ Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+ Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 4c48a7fc8df9310f994708b42fe1102a2943917c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 14 17:12:54 2015 -0400
-
- Update to pax-linux-4.2.3-test10.patch:
- - fixed accidentally dropped csum_partial_copy_generic_to_user entry point for pre-P6 i386 configs, by minipli
- - Emese fixed a bunch of false positives with the size overflow plugin, let's see how it goes in the real world :)
-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/ptrace.h | 8 +-
- arch/x86/lib/checksum_32.S | 2 +
- arch/x86/xen/mmu.c | 2 +-
- drivers/ata/libahci.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
- drivers/spi/spidev.c | 2 +-
- drivers/tty/n_tty.c | 2 +-
- drivers/usb/core/message.c | 6 +-
- fs/binfmt_elf.c | 2 +-
- fs/ubifs/io.c | 2 +-
- include/drm/drm_mm.h | 2 +-
- include/linux/completion.h | 12 +-
- include/linux/jiffies.h | 10 +-
- include/linux/kernel.h | 2 +-
- include/linux/mm.h | 2 +-
- include/linux/random.h | 4 +-
- include/linux/sched.h | 2 +-
- include/linux/usb.h | 2 +-
- kernel/sched/completion.c | 6 +-
- kernel/time/timer.c | 2 +-
- lib/bitmap.c | 2 +-
- mm/internal.h | 2 +-
- net/sunrpc/svcauth_unix.c | 2 +-
- .../disable_size_overflow_hash.data |22980 +++++++++++---------
- .../insert_size_overflow_asm.c | 7 +
- .../size_overflow_plugin/intentional_overflow.c | 10 +-
- tools/gcc/size_overflow_plugin/size_overflow.h | 29 +-
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 20 +-
- .../size_overflow_plugin/size_overflow_hash.data |14092 ++++++++----
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 252 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin_hash.c | 13 +-
- .../size_overflow_plugin/size_overflow_transform.c | 205 +-
- .../size_overflow_transform_core.c | 4 +-
- 36 files changed, 21958 insertions(+), 15740 deletions(-)
+ net/core/dst.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit 913cbf6a23fcad570b776b1a5a71242b909c5c99
-Author: Dave Kleikamp <dave.kleikamp@oracle.com>
-Date: Mon Oct 5 10:08:51 2015 -0500
+commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc
+Author: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed Jan 6 14:55:02 2016 +0000
- crypto: sparc - initialize blkcipher.ivsize
+ mkiss: fix scribble on freed memory
- Some of the crypto algorithms write to the initialization vector,
- but no space has been allocated for it. This clobbers adjacent memory.
+ commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable
+ scribble on free memory but added a new one which allows the user to
+ scribble even more and user controlled data into freed space.
- Cc: stable@vger.kernel.org
- Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+ As with 6pack we need to halt the queue before we free the buffers, because
+ the transmit logic is not protected by the semaphore.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/sparc/crypto/aes_glue.c | 2 ++
- arch/sparc/crypto/camellia_glue.c | 1 +
- arch/sparc/crypto/des_glue.c | 2 ++
- 3 files changed, 5 insertions(+), 0 deletions(-)
+ drivers/net/hamradio/mkiss.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
-commit 7af7ad1e287067b7ea659dc0dd3e2e355588e246
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Oct 13 08:03:51 2015 -0400
+commit 5cbbcbd32dc1949470f61d342503808fa9555276
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:49 2015 -0500
- Apply fix by Tejun Heo for upstream bug reported on the forums by Fuxino:
- https://forums.grsecurity.net/viewtopic.php?f=3&t=4276#p15570
+ mkiss: Fix use after free in mkiss_close().
- Probably made more easily reproducible via SANITIZE, but we won't know for
- sure without a full oops report.
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
- For some reason even though this patch was marked for 4.2+ stable over a month
- ago, it still hasn't hit Greg's tree.
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- block/blk-cgroup.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 8e1f29f9e1af36f71d12213ea6530eb77014c00c
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:10 2015 +0200
-
- tty: fix data race on tty_buffer.commit
-
- Race on buffer data happens when newly committed data is
- picked up by an old flush work in the following scenario:
- __tty_buffer_request_room does a plain write of tail->commit,
- no barriers were executed before that.
- At this point flush_to_ldisc reads this new value of commit,
- and reads buffer data, no barriers in between.
- The committed buffer data is not necessary visible to flush_to_ldisc.
-
- Similar bug happens when tty_schedule_flip commits data.
-
- Update commit with smp_store_release and read commit with
- smp_load_acquire, as it is commit that signals data readiness.
- This is orthogonal to the existing synchronization on tty_buffer.next,
- which is required to not dismiss a buffer with unconsumed data.
-
- The data race was found with KernelThreadSanitizer (KTSAN).
-
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/tty_buffer.c | 15 ++++++++++++---
- 1 files changed, 12 insertions(+), 3 deletions(-)
-
-commit d62db216e7182e24317596471c1a3a2a9fb9d1f5
-Author: Peter Hurley <peter@hurleysoftware.com>
-Date: Sun Jul 12 20:50:49 2015 -0400
-
- tty: Replace smp_rmb/smp_wmb with smp_load_acquire/smp_store_release
-
- Clarify flip buffer producer/consumer operation; the use of
- smp_load_acquire() and smp_store_release() more clearly indicates
- which memory access requires a barrier.
-
- Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- drivers/tty/tty_buffer.c | 10 ++++------
- 1 files changed, 4 insertions(+), 6 deletions(-)
-
-commit c6bbe8a6097f869b6a3d3c40d456727180573dd9
-Author: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
-Date: Fri Oct 2 08:27:05 2015 +0000
-
- tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
-
- My colleague ran into a program stall on a x86_64 server, where
- n_tty_read() was waiting for data even if there was data in the buffer
- in the pty. kernel stack for the stuck process looks like below.
- #0 [ffff88303d107b58] __schedule at ffffffff815c4b20
- #1 [ffff88303d107bd0] schedule at ffffffff815c513e
- #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
- #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
- #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
- #5 [ffff88303d107dd0] tty_read at ffffffff81368013
- #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
- #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
- #8 [ffff88303d107f00] sys_read at ffffffff811a4306
- #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7
-
- There seems to be two problems causing this issue.
-
- First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
- updates ldata->commit_head using smp_store_release() and then checks
- the wait queue using waitqueue_active(). However, since there is no
- memory barrier, __receive_buf() could return without calling
- wake_up_interactive_poll(), and at the same time, n_tty_read() could
- start to wait in wait_woken() as in the following chart.
-
- __receive_buf() n_tty_read()
- ------------------------------------------------------------------------
- if (waitqueue_active(&tty->read_wait))
- /* Memory operations issued after the
- RELEASE may be completed before the
- RELEASE operation has completed */
- add_wait_queue(&tty->read_wait, &wait);
- ...
- if (!input_available_p(tty, 0)) {
- smp_store_release(&ldata->commit_head,
- ldata->read_head);
- ...
- timeout = wait_woken(&wait,
- TASK_INTERRUPTIBLE, timeout);
- ------------------------------------------------------------------------
-
- The second problem is that n_tty_read() also lacks a memory barrier
- call and could also cause __receive_buf() to return without calling
- wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
- as in the chart below.
-
- __receive_buf() n_tty_read()
- ------------------------------------------------------------------------
- spin_lock_irqsave(&q->lock, flags);
- /* from add_wait_queue() */
- ...
- if (!input_available_p(tty, 0)) {
- /* Memory operations issued after the
- RELEASE may be completed before the
- RELEASE operation has completed */
- smp_store_release(&ldata->commit_head,
- ldata->read_head);
- if (waitqueue_active(&tty->read_wait))
- __add_wait_queue(q, wait);
- spin_unlock_irqrestore(&q->lock,flags);
- /* from add_wait_queue() */
- ...
- timeout = wait_woken(&wait,
- TASK_INTERRUPTIBLE, timeout);
- ------------------------------------------------------------------------
-
- There are also other places in drivers/tty/n_tty.c which have similar
- calls to waitqueue_active(), so instead of adding many memory barrier
- calls, this patch simply removes the call to waitqueue_active(),
- leaving just wake_up*() behind.
-
- This fixes both problems because, even though the memory access before
- or after the spinlocks in both wake_up*() and add_wait_queue() can
- sneak into the critical section, it cannot go past it and the critical
- section assures that they will be serialized (please see "INTER-CPU
- ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
- better explanation). Moreover, the resulting code is much simpler.
-
- Latency measurement using a ping-pong test over a pty doesn't show any
- visible performance drop.
-
- Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
- Cc: stable@vger.kernel.org
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+commit b00171576794a98068e069a660f0991a6a5190ff
+Author: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Date: Tue Jan 5 11:51:25 2016 +0000
+
+ 6pack: fix free memory scribbles
+
+ commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free
+ memory scribble but in doing so replaced it with a different one that allows
+ the user to control the data and scribble even more.
+
+ sixpack_close is called by the tty layer in tty context. The tty context is
+ protected by sp_get() and sp_put(). However network layer activity via
+ sp_xmit() is not protected this way. We must therefore stop the queue
+ otherwise the user gets to dump a buffer mostly of their choice into freed
+ kernel pages.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/n_tty.c | 15 +++++----------
- 1 files changed, 5 insertions(+), 10 deletions(-)
+ drivers/net/hamradio/6pack.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit 3af2011ac1a085a3e8c57ca3a840aec393b37db3
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:08 2015 +0200
+commit 5b64a833907cd230a3106aeba2304b2c1bcd116d
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:32 2015 -0500
- tty: fix data race in flush_to_ldisc
-
- flush_to_ldisc reads port->itty and checks that it is not NULL,
- concurrently release_tty sets port->itty to NULL. It is possible
- that flush_to_ldisc loads port->itty once, ensures that it is
- not NULL, but then reloads it again and uses. The second load
- can already return NULL, which will cause a crash.
+ 6pack: Fix use after free in sixpack_close().
- Use READ_ONCE to read port->itty.
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
- The data race was found with KernelThreadSanitizer (KTSAN).
+ Also we need to use del_timer_sync() for the timers so that we don't
+ have any asynchronous references after the unregister.
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/tty_buffer.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ drivers/net/hamradio/6pack.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
-commit 4a433f384b0a5b7e39f969ee8df89c56537d078d
-Author: Dmitry Vyukov <dvyukov@google.com>
-Date: Thu Sep 17 17:17:09 2015 +0200
+commit 4f9d532742656b3613d579220fd10c78f24ba37b
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 16:23:07 2016 +0100
- tty: fix data race in tty_buffer_flush
+ net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
- tty_buffer_flush frees not acquired buffers.
- As the result, for example, read of b->size in tty_buffer_free
- can return garbage value which will lead to a huge buffer
- hanging in the freelist. This is just the benignest
- manifestation of freeing of a not acquired object.
- If the object is passed to kfree, heap can be corrupted.
+ The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
+ instructions since it XORs A with X while all the others replace A with
+ some loaded value. All the BPF JITs fail to clear A if this is used as
+ the first instruction in a filter. This was found using american fuzzy
+ lop.
- Acquire visibility over the buffer before freeing it.
+ Add a helper to determine if A needs to be cleared given the first
+ instruction in a filter, and use this in the JITs. Except for ARM, the
+ rest have only been compile-tested.
- The data race was found with KernelThreadSanitizer (KTSAN).
-
- Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
- Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/tty_buffer.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 16 +---------------
+ arch/mips/net/bpf_jit.c | 16 +---------------
+ arch/powerpc/net/bpf_jit_comp.c | 13 ++-----------
+ arch/sparc/net/bpf_jit_comp.c | 17 ++---------------
+ include/linux/filter.h | 19 +++++++++++++++++++
+ 5 files changed, 25 insertions(+), 56 deletions(-)
-commit 1477c439d65debf45ac3164a1615504131fad1ff
-Author: Jann Horn <jann@thejh.net>
-Date: Sun Oct 4 19:29:12 2015 +0200
+commit 570d88f8acfffda92b89ae2e1c47320d47256034
+Author: John Fastabend <john.fastabend@gmail.com>
+Date: Tue Jan 5 09:11:36 2016 -0800
- drivers/tty: require read access for controlling terminal
+ net: sched: fix missing free per cpu on qstats
- This is mostly a hardening fix, given that write-only access to other
- users' ttys is usually only given through setgid tty executables.
+ When a qdisc is using per cpu stats (currently just the ingress
+ qdisc) only the bstats are being freed. This also free's the qstats.
- Signed-off-by: Jann Horn <jann@thejh.net>
- Cc: stable@vger.kernel.org
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats")
+ Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++----
- 1 files changed, 27 insertions(+), 4 deletions(-)
+ net/sched/sch_generic.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
-commit c2d51348729aa244b827216715db7734daf07155
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon Oct 12 07:19:03 2015 -0400
+commit 32c0ebc51857ee83470a10dcb234d308a0ed1881
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 18:34:04 2016 +0100
- Don't auto-enable UDEREF on x64 with a VirtualBox host
+ ARM: net: bpf: fix zero right shift
- Conflicts:
+ The LSR instruction cannot be used to perform a zero right shift since a
+ 0 as the immediate value (imm5) in the LSR instruction encoding means
+ that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM.
+
+ Make the JIT skip generation of the LSR if a zero-shift is requested.
- security/Kconfig
+ This was found using american fuzzy lop.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- security/Kconfig | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit 45ff0fe97624b7133be6f0280ab8fda4610b7937
-Merge: ca6828e 1c527d2
+commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 11 17:17:58 2015 -0400
+Date: Wed Jan 6 20:35:57 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ Don't perform hidden lookups in RBAC against the directory of
+ a file being opened with O_CREAT, reported by Karl Witt
Conflicts:
- arch/x86/mm/pgtable.c
+
+ fs/namei.c
-commit 1c527d25ad2ece4cdb4723047625d96b942a3b91
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 11 17:16:49 2015 -0400
-
- Update to pax-linux-4.2.3-test9.patch:
- - really fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) and quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
- - fixed a compilation error caused by the above regression, reported by spender
- - fixed an arm compilation error, reported by Emese
-
- arch/arm/kernel/module-plts.c | 7 +------
- arch/x86/mm/pgtable.c | 21 +++++++++++++++++++--
- 2 files changed, 20 insertions(+), 8 deletions(-)
-
-commit ca6828e73b10b4a7537b16a37c2c0280523171e1
-Author: Trond Myklebust <trond.myklebust@primarydata.com>
-Date: Fri Oct 9 13:44:34 2015 -0400
-
- namei: results of d_is_negative() should be checked after dentry revalidation
-
- Leandro Awa writes:
- "After switching to version 4.1.6, our parallelized and distributed
- workflows now fail consistently with errors of the form:
-
- T34: ./regex.c:39:22: error: config.h: No such file or directory
-
- From our 'git bisect' testing, the following commit appears to be the
- possible cause of the behavior we've been seeing: commit 766c4cbfacd8"
-
- Al Viro says:
- "What happens is that 766c4cbfacd8 got the things subtly wrong.
-
- We used to treat d_is_negative() after lookup_fast() as "fall with
- ENOENT". That was wrong - checking ->d_flags outside of ->d_seq
- protection is unreliable and failing with hard error on what should've
- fallen back to non-RCU pathname resolution is a bug.
-
- Unfortunately, we'd pulled the test too far up and ran afoul of
- another kind of staleness. The dentry might have been absolutely
- stable from the RCU point of view (and we might be on UP, etc), but
- stale from the remote fs point of view. If ->d_revalidate() returns
- "it's actually stale", dentry gets thrown away and the original code
- wouldn't even have looked at its ->d_flags.
-
- What we need is to check ->d_flags where 766c4cbfacd8 does (prior to
- ->d_seq validation) but only use the result in cases where we do not
- discard this dentry outright"
-
- Reported-by: Leandro Awa <lawa@nvidia.com>
- Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911
- Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...")
- Tested-by: Leandro Awa <lawa@nvidia.com>
- Cc: stable@vger.kernel.org # v4.1+
- Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
- Acked-by: Al Viro <viro@zeniv.linux.org.uk>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ fs/namei.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
- fs/namei.c | 8 ++++++--
- 1 files changed, 6 insertions(+), 2 deletions(-)
+commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jan 5 10:46:00 2016 +0100
-commit c0181260ce096a814637ad60e45a64c94840fffa
-Author: Matt Fleming <matt.fleming@intel.com>
-Date: Fri Sep 25 23:02:18 2015 +0100
-
- x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down
-
- Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced
- that signals that the firmware PE/COFF loader supports splitting
- code and data sections of PE/COFF images into separate EFI
- memory map entries. This allows the kernel to map those regions
- with strict memory protections, e.g. EFI_MEMORY_RO for code,
- EFI_MEMORY_XP for data, etc.
-
- Unfortunately, an unwritten requirement of this new feature is
- that the regions need to be mapped with the same offsets
- relative to each other as observed in the EFI memory map. If
- this is not done crashes like this may occur,
-
- BUG: unable to handle kernel paging request at fffffffefe6086dd
- IP: [<fffffffefe6086dd>] 0xfffffffefe6086dd
- Call Trace:
- [<ffffffff8104c90e>] efi_call+0x7e/0x100
- [<ffffffff81602091>] ? virt_efi_set_variable+0x61/0x90
- [<ffffffff8104c583>] efi_delete_dummy_variable+0x63/0x70
- [<ffffffff81f4e4aa>] efi_enter_virtual_mode+0x383/0x392
- [<ffffffff81f37e1b>] start_kernel+0x38a/0x417
- [<ffffffff81f37495>] x86_64_start_reservations+0x2a/0x2c
- [<ffffffff81f37582>] x86_64_start_kernel+0xeb/0xef
-
- Here 0xfffffffefe6086dd refers to an address the firmware
- expects to be mapped but which the OS never claimed was mapped.
- The issue is that included in these regions are relative
- addresses to other regions which were emitted by the firmware
- toolchain before the "splitting" of sections occurred at
- runtime.
-
- Needless to say, we don't satisfy this unwritten requirement on
- x86_64 and instead map the EFI memory map entries in reverse
- order. The above crash is almost certainly triggerable with any
- kernel newer than v3.13 because that's when we rewrote the EFI
- runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi:
- Runtime services virtual mapping"). For kernel versions before
- v3.13 things may work by pure luck depending on the
- fragmentation of the kernel virtual address space at the time we
- map the EFI regions.
-
- Instead of mapping the EFI memory map entries in reverse order,
- where entry N has a higher virtual address than entry N+1, map
- them in the same order as they appear in the EFI memory map to
- preserve this relative offset between regions.
-
- This patch has been kept as small as possible with the intention
- that it should be applied aggressively to stable and
- distribution kernels. It is very much a bugfix rather than
- support for a new feature, since when EFI_PROPERTIES_TABLE is
- enabled we must map things as outlined above to even boot - we
- have no way of asking the firmware not to split the code/data
- regions.
-
- In fact, this patch doesn't even make use of the more strict
- memory protections available in UEFI v2.5. That will come later.
-
- Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Signed-off-by: Matt Fleming <matt.fleming@intel.com>
- Cc: <stable@vger.kernel.org>
- Cc: Borislav Petkov <bp@suse.de>
- Cc: Chun-Yi <jlee@suse.com>
- Cc: Dave Young <dyoung@redhat.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: James Bottomley <JBottomley@Odin.com>
- Cc: Lee, Chun-Yi <jlee@suse.com>
- Cc: Leif Lindholm <leif.lindholm@linaro.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Matthew Garrett <mjg59@srcf.ucam.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Jones <pjones@redhat.com>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: linux-kernel@vger.kernel.org
- Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/platform/efi/efi.c | 67 ++++++++++++++++++++++++++++++++++++++++++-
- 1 files changed, 66 insertions(+), 1 deletions(-)
-
-commit 9377caab146791c8c587da3750d6eddcd01bdfba
-Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Date: Fri Sep 25 23:02:19 2015 +0100
-
- arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions
-
- The new Properties Table feature introduced in UEFIv2.5 may
- split memory regions that cover PE/COFF memory images into
- separate code and data regions. Since these regions only differ
- in the type (runtime code vs runtime data) and the permission
- bits, but not in the memory type attributes (UC/WC/WT/WB), the
- spec does not require them to be aligned to 64 KB.
-
- Since the relative offset of PE/COFF .text and .data segments
- cannot be changed on the fly, this means that we can no longer
- pad out those regions to be mappable using 64 KB pages.
- Unfortunately, there is no annotation in the UEFI memory map
- that identifies data regions that were split off from a code
- region, so we must apply this logic to all adjacent runtime
- regions whose attributes only differ in the permission bits.
-
- So instead of rounding each memory region to 64 KB alignment at
- both ends, only round down regions that are not directly
- preceded by another runtime region with the same type
- attributes. Since the UEFI spec does not mandate that the memory
- map be sorted, this means we also need to sort it first.
-
- Note that this change will result in all EFI_MEMORY_RUNTIME
- regions whose start addresses are not aligned to the OS page
- size to be mapped with executable permissions (i.e., on kernels
- compiled with 64 KB pages). However, since these mappings are
- only active during the time that UEFI Runtime Services are being
- invoked, the window for abuse is rather small.
-
- Tested-by: Mark Salter <msalter@redhat.com>
- Tested-by: Mark Rutland <mark.rutland@arm.com> [UEFI 2.4 only]
- Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
- Signed-off-by: Matt Fleming <matt.fleming@intel.com>
- Reviewed-by: Mark Salter <msalter@redhat.com>
- Reviewed-by: Mark Rutland <mark.rutland@arm.com>
- Cc: <stable@vger.kernel.org> # v4.0+
- Cc: Catalin Marinas <catalin.marinas@arm.com>
- Cc: Leif Lindholm <leif.lindholm@linaro.org>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: Will Deacon <will.deacon@arm.com>
- Cc: linux-kernel@vger.kernel.org
- Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/arm64/kernel/efi.c | 3 +-
- drivers/firmware/efi/libstub/arm-stub.c | 88 +++++++++++++++++++++++++-----
- 2 files changed, 75 insertions(+), 16 deletions(-)
-
-commit 189124f1e733622c44d72060832af3c68d7ee8bc
-Author: Ralf Baechle <ralf@linux-mips.org>
-Date: Fri Oct 2 09:48:57 2015 +0200
-
- MIPS: BPF: Fix load delay slots.
-
- The entire bpf_jit_asm.S is written in noreorder mode because "we know
- better" according to a comment. This also prevented the assembler from
- throwing in the required NOPs for MIPS I processors which have no
- load-use interlock, thus the load's consumer might end up using the
- old value of the register from prior to the load.
-
- Fixed by putting the assembler in reorder mode for just the affected
- load instructions. This is not enough for gas to actually try to be
- clever by looking at the next instruction and inserting a nop only
- when needed but as the comment said "we know better", so getting gas
- to unconditionally emit a NOP is just right in this case and prevents
- adding further ifdefery.
-
- Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-
- arch/mips/net/bpf_jit_asm.S | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
+ bridge: Only call /sbin/bridge-stp for the initial network namespace
+
+ [I stole this patch from Eric Biederman. He wrote:]
+
+ > There is no defined mechanism to pass network namespace information
+ > into /sbin/bridge-stp therefore don't even try to invoke it except
+ > for bridge devices in the initial network namespace.
+ >
+ > It is possible for unprivileged users to cause /sbin/bridge-stp to be
+ > invoked for any network device name which if /sbin/bridge-stp does not
+ > guard against unreasonable arguments or being invoked twice on the
+ > same network device could cause problems.
+
+ [Hannes: changed patch using netns_eq]
+
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_stp_if.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
-commit b4b012d6599fbc3c6e81f0a03cd59eb9f0095ed8
-Author: Lee, Chun-Yi <joeyli.kernel@gmail.com>
-Date: Tue Sep 29 20:58:57 2015 +0800
+commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed Dec 23 16:28:40 2015 -0200
- x86/kexec: Fix kexec crash in syscall kexec_file_load()
-
- The original bug is a page fault crash that sometimes happens
- on big machines when preparing ELF headers:
+ sctp: use GFP_USER for user-controlled kmalloc
- BUG: unable to handle kernel paging request at ffffc90613fc9000
- IP: [<ffffffff8103d645>] prepare_elf64_ram_headers_callback+0x165/0x260
+ Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ missed two other spots.
- The bug is caused by us under-counting the number of memory ranges
- and subsequently not allocating enough ELF header space for them.
- The bug is typically masked on smaller systems, because the ELF header
- allocation is rounded up to the next page.
+ For connectx, as it's more likely to be used by kernel users of the API,
+ it detects if GFP_USER should be used or not.
- This patch modifies the code in fill_up_crash_elf_data() by using
- walk_system_ram_res() instead of walk_system_ram_range() to correctly
- count the max number of crash memory ranges. That's because the
- walk_system_ram_range() filters out small memory regions that
- reside in the same page, but walk_system_ram_res() does not.
+ Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit 5718a1f63c41fc156f729783423b002763779d04
+Author: Florian Westphal <fw@strlen.de>
+Date: Thu Dec 31 14:26:33 2015 +0100
+
+ connector: bump skb->users before callback invocation
- Here's how I found the bug:
+ Dmitry reports memleak with syskaller program.
+ Problem is that connector bumps skb usecount but might not invoke callback.
- After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(),
- the code uses walk_system_ram_res() to fill-in crash memory regions information
- to the program header, so it counts those small memory regions that
- reside in a page area.
+ So move skb_get to where we invoke the callback.
- But, when the kernel was using walk_system_ram_range() in
- fill_up_crash_elf_data() to count the number of crash memory regions,
- it filters out small regions.
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/connector.c | 11 +++--------
+ 1 files changed, 3 insertions(+), 8 deletions(-)
+
+commit 2e6372e6a97f8d642416899861f91777f44f13b7
+Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Sun Jan 3 18:56:38 2016 +0000
+
+ af_unix: Fix splice-bind deadlock
- I printed those small memory regions, for example:
+ On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
+ system call and AF_UNIX sockets,
- kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0
+ http://lists.openwall.net/netdev/2015/11/06/24
- Based on the code in walk_system_ram_range(), this memory region
- will be filtered out:
+ The situation was analyzed as
- pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593
- end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593
- end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE
+ (a while ago) A: socketpair()
+ B: splice() from a pipe to /mnt/regular_file
+ does sb_start_write() on /mnt
+ C: try to freeze /mnt
+ wait for B to finish with /mnt
+ A: bind() try to bind our socket to /mnt/new_socket_name
+ lock our socket, see it not bound yet
+ decide that it needs to create something in /mnt
+ try to do sb_start_write() on /mnt, block (it's
+ waiting for C).
+ D: splice() from the same pipe to our socket
+ lock the pipe, see that socket is connected
+ try to lock the socket, block waiting for A
+ B: get around to actually feeding a chunk from
+ pipe to file, try to lock the pipe. Deadlock.
- So, the max_nr_ranges that's counted by the kernel doesn't include
- small memory regions - causing us to under-allocate the required space.
- That causes the page fault crash that happens in a later code path
- when preparing ELF headers.
+ on 2015/11/10 by Al Viro,
- This bug is not easy to reproduce on small machines that have few
- CPUs, because the allocated page aligned ELF buffer has more free
- space to cover those small memory regions' PT_LOAD headers.
+ http://lists.openwall.net/netdev/2015/11/10/4
- Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
- Cc: Andy Lutomirski <luto@kernel.org>
- Cc: Baoquan He <bhe@redhat.com>
- Cc: Jiang Liu <jiang.liu@linux.intel.com>
- Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Mike Galbraith <efault@gmx.de>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Stephen Rothwell <sfr@canb.auug.org.au>
- Cc: Takashi Iwai <tiwai@suse.de>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: Viresh Kumar <viresh.kumar@linaro.org>
- Cc: Vivek Goyal <vgoyal@redhat.com>
- Cc: kexec@lists.infradead.org
- Cc: linux-kernel@vger.kernel.org
- Cc: <stable@vger.kernel.org>
- Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/kernel/crash.c | 7 +++----
- 1 files changed, 3 insertions(+), 4 deletions(-)
-
-commit bf91f1e0162bdd27ebd1411090a81fd9188daa4f
-Author: Elad Raz <eladr@mellanox.com>
-Date: Sat Aug 22 08:44:11 2015 +0300
-
- netfilter: ipset: Fixing unnamed union init
+ The patch fixes this by removing the kern_path_create related code from
+ unix_mknod and executing it as part of unix_bind prior acquiring the
+ readlock of the socket in question. This means that A (as used above)
+ will sb_start_write on /mnt before it acquires the readlock, hence, it
+ won't indirectly block B which first did a sb_start_write and then
+ waited for a thread trying to acquire the readlock. Consequently, A
+ being blocked by C waiting for B won't cause a deadlock anymore
+ (effectively, both A and B acquire two locks in opposite order in the
+ situation described above).
- In continue to proposed Vinson Lee's post [1], this patch fixes compilation
- issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed
- unions causes compilation error in gcc 4.4.x.
+ Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
- References
+ Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- Visible links
- [1] https://lkml.org/lkml/2015/7/5/74
+ Conflicts:
- Signed-off-by: Elad Raz <eladr@mellanox.com>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+ net/unix/af_unix.c
+
+ net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++--------------------
+ 1 files changed, 42 insertions(+), 28 deletions(-)
+
+commit 2e729e557c571f3253e32472cd7d382ac16cf1c3
+Author: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu Dec 31 13:11:28 2015 +0800
+
+ tracing: Fix setting of start_index in find_next()
+
+ When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+ panic at t_show.
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+ RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+ RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+ RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+ R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+ FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+ CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+ Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+ Kernel panic - not syncing: Fatal exception
+
+ When the first time find_next calls find_next_mod_format, it should
+ iterate the trace_bprintk_fmt_list to find the first print format of
+ the module. However in current code, start_index is smaller than *pos
+ at first, and code will not iterate the list. Latter container_of will
+ get the wrong address with former v, which will cause mod_fmt be a
+ meaningless object and so is the returned mod_fmt->fmt.
+
+ This patch will fix it by correcting the start_index. After fixed,
+ when the first time calls find_next_mod_format, start_index will be
+ equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+ get the right module printk format, so is the returned mod_fmt->fmt.
+
+ Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+ Cc: stable@vger.kernel.org # 3.12+
+ Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+ Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/trace_printk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
- net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++--
- net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++--
- 2 files changed, 36 insertions(+), 4 deletions(-)
+commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon Dec 28 20:47:08 2015 -0500
-commit fed13a5012b8d7e87a6f9efa2e40e0be28eaecd9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 23:12:43 2015 -0400
+ [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
+
+ Cc: stable@vger.kernel.org # 3.15+
+ Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- compile fix
+ arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------
+ 1 files changed, 37 insertions(+), 36 deletions(-)
- arch/x86/mm/pgtable.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
+commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351
+Merge: de243c2 3adc55a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:10:10 2016 -0500
-commit 58edc15a668a6dd90b3f66abc84b509f8fba7505
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon Aug 31 19:11:02 2015 +0200
-
- netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths
-
- Commit 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack
- templates") migrated templates to the new allocator api, but forgot to
- update error paths for them in CT and synproxy to use nf_ct_tmpl_free()
- instead of nf_conntrack_free().
-
- Due to that, memory is being freed into the wrong kmemcache, but also
- we drop the per net reference count of ct objects causing an imbalance.
-
- In Brad's case, this leads to a wrap-around of net->ct.count and thus
- lets __nf_conntrack_alloc() refuse to create a new ct object:
-
- [ 10.340913] xt_addrtype: ipv6 does not support BROADCAST matching
- [ 10.810168] nf_conntrack: table full, dropping packet
- [ 11.917416] r8169 0000:07:00.0 eth0: link up
- [ 11.917438] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
- [ 12.815902] nf_conntrack: table full, dropping packet
- [ 15.688561] nf_conntrack: table full, dropping packet
- [ 15.689365] nf_conntrack: table full, dropping packet
- [ 15.690169] nf_conntrack: table full, dropping packet
- [ 15.690967] nf_conntrack: table full, dropping packet
- [...]
-
- With slab debugging, it also reports the wrong kmemcache (kmalloc-512 vs.
- nf_conntrack_ffffffff81ce75c0) and reports poison overwrites, etc. Thus,
- to fix the problem, export and use nf_ct_tmpl_free() instead.
-
- Fixes: 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates")
- Reported-by: Brad Jackson <bjackson0971@gmail.com>
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+ Merge branch 'pax-test' into grsec-test
- include/net/netfilter/nf_conntrack.h | 1 +
- net/netfilter/nf_conntrack_core.c | 3 ++-
- net/netfilter/nf_synproxy_core.c | 2 +-
- net/netfilter/xt_CT.c | 2 +-
- 4 files changed, 5 insertions(+), 3 deletions(-)
+commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:08:53 2016 -0500
+
+ Update to pax-linux-4.3.3-test16.patch:
+ - small cleanup in entry_64.S on x86
+ - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes
+ - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354)
+ - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353)
+ - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916)
+ - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420)
+
+ arch/x86/entry/entry_64.S | 60 +++++-----
+ arch/x86/kernel/alternative.c | 2 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ tools/gcc/initify_plugin.c | 123 +++++++++----------
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ 6 files changed, 93 insertions(+), 102 deletions(-)
-commit 37d26e44573aaa9c3b1f0c36ec9d4bddc008fc03
+commit de243c26efd0e423ca92db825af2c3f8eb1ca043
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:22:54 2015 -0400
+Date: Tue Dec 29 18:01:24 2015 -0500
- Fix BUG() in scatterwalk_map_and_copy caused by virt_to_page being
- called on the KSTACKOVERFLOW's vmalloc'd stack. Thanks to
- Yves-Alexis Perez for the report
+ It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP
+ which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only
+ did so if RLIMIT_DATA was set lower than PAGE_SIZE.
+
+ This addition was only supplemental as GRKERNSEC_BRUTE is the main defense
+ against suid/sgid attacks and the flaw above would only eliminate the extra
+ entropy provided for the brk-managed heap, still leaving it with the minimum
+ of 16-bit entropy for mmap on x86 and 28 on x64.
- crypto/scatterwalk.c | 10 ++++++++--
- 1 files changed, 8 insertions(+), 2 deletions(-)
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 8137d53d2b60023587a48004f0b67946ed6db4a8
-Merge: 147420b a9c991f
+commit 8e264cfe47e5f08cdc9ed009a630277206cd2534
+Merge: 436201b 2584340
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:20:32 2015 -0400
+Date: Mon Dec 28 20:30:01 2015 -0500
Merge branch 'pax-test' into grsec-test
-commit a9c991f727bb8daf15838296e301683791c17071
+commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 18:20:07 2015 -0400
-
- Update to pax-linux-4.2.3-test8.patch:
- - fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272)
+Date: Mon Dec 28 20:29:28 2015 -0500
+
+ Update to pax-linux-4.3.3-test14.patch:
+ - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349)
+ - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion
+ - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger
+ - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350)
+ - fixed an assert in the initify plugin that triggered in vic_register on arm
+
+ arch/arm/include/asm/atomic.h | 7 +++++--
+ arch/arm/include/asm/domain.h | 5 ++---
+ arch/x86/kernel/tboot.c | 14 +++++++++-----
+ drivers/hv/channel.c | 4 +---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 3 +--
+ fs/exec.c | 4 ++--
+ include/linux/atomic.h | 15 ---------------
+ net/core/skbuff.c | 3 ++-
+ tools/gcc/initify_plugin.c | 4 +++-
+ 10 files changed, 26 insertions(+), 35 deletions(-)
+
+commit 436201b6626b488d173c8076447000077c27b84a
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Dec 18 01:34:26 2015 +0000
+
+ KEYS: Fix race between read and revoke
+
+ This fixes CVE-2015-7550.
+
+ There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+ happens between keyctl_read() checking the validity of a key and the key's
+ semaphore being taken, then the key type read method will see a revoked key.
+
+ This causes a problem for the user-defined key type because it assumes in
+ its read method that there will always be a payload in a non-revoked key
+ and doesn't check for a NULL pointer.
+
+ Fix this by making keyctl_read() check the validity of a key after taking
+ semaphore instead of before.
+
+ I think the bug was introduced with the original keyrings code.
+
+ This was discovered by a multithreaded test program generated by syzkaller
+ (http://github.com/google/syzkaller). Here's a cleaned up version:
+
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
+
+ Build as:
+
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+ Run as:
+
+ while keyctl-race; do :; done
+
+ as it may need several iterations to crash the kernel. The crash can be
+ summarised as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: James Morris <james.l.morris@oracle.com>
- arch/x86/kernel/espfix_64.c | 4 +---
- arch/x86/kernel/kvmclock.c | 20 ++++++--------------
- arch/x86/mm/highmem_32.c | 2 ++
- arch/x86/mm/pgtable.c | 33 +++++++++++++++++++++++++++++++++
- 4 files changed, 42 insertions(+), 17 deletions(-)
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
-commit 147420b0f00c7f20f354e1dfa460b904a3af432b
+commit 195cea04477025da4a2078bd3e1fb7c4e11206c2
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Oct 9 08:54:24 2015 -0400
+Date: Tue Dec 22 20:44:01 2015 -0500
- Properly fix the bug reported at:
- https://code.google.com/p/android/issues/detail?id=187973
+ Add new kernel command-line param: pax_size_overflow_report_only
+ If a user triggers a size_overflow violation that makes it difficult
+ to obtain the call trace without serial console/net console, they can
+ use this option to provide that information to us
- drivers/net/slip/slhc.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ Documentation/kernel-parameters.txt | 5 +++++
+ fs/exec.c | 12 +++++++++---
+ init/main.c | 11 +++++++++++
+ 3 files changed, 25 insertions(+), 3 deletions(-)
-commit 4918a68ea80e1185ec8f3a94d3a2210552ed0bb5
-Merge: 4e736d9 7e02f35
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 20:57:21 2015 -0400
+commit 4254a8da5851df8c08cdca5c392916e8c105408d
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon Dec 21 10:55:45 2015 -0800
- Merge branch 'pax-test' into grsec-test
+ addrconf: always initialize sysctl table data
- Conflicts:
- arch/x86/kernel/espfix_64.c
-
-commit 7e02f35880fd6bdb2f4e7ba07a13d6df1d121008
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 20:54:36 2015 -0400
-
- Update to pax-linux-4.2.3-test7.patch:
- - backported vanilla commits b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 and 176fc2d5770a0990eebff903ba680d2edd32e718
- - constified a few more page tables for ESPFIX/amd64
- - fixed xen and the recently added level1_modules_pgt page tables on amd64
+ When sysctl performs restrict writes, it allows to write from
+ a middle position of a sysctl file, which requires us to initialize
+ the table data before calling proc_dostring() for the write case.
+
+ Fixes: 3d1bec99320d ("ipv6: introduce secret_stable to ipv6_devconf")
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Tested-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/x86/include/asm/pgtable_64.h | 1 +
- arch/x86/kernel/espfix_64.c | 35 +++++++++++++++++++++++----------
- arch/x86/xen/mmu.c | 4 +++
- drivers/base/regmap/regmap-debugfs.c | 14 +++++-------
- 4 files changed, 35 insertions(+), 19 deletions(-)
+ net/ipv6/addrconf.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
-commit 4e736d9e568f6cc0d08dfe7519abf9a5d58a5418
-Author: Robin Murphy <robin.murphy@arm.com>
-Date: Thu Oct 1 15:37:19 2015 -0700
+commit f8002863fb06c363180637046947a78a6ccb3d33
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed Dec 16 23:39:04 2015 -0800
- dmapool: fix overflow condition in pool_find_page()
+ net: check both type and procotol for tcp sockets
- If a DMA pool lies at the very top of the dma_addr_t range (as may
- happen with an IOMMU involved), the calculated end address of the pool
- wraps around to zero, and page lookup always fails.
+ Dmitry reported the following out-of-bound access:
- Tweak the relevant calculation to be overflow-proof.
+ Call Trace:
+ [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
+ mm/kasan/report.c:294
+ [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
+ [< inline >] SYSC_setsockopt net/socket.c:1746
+ [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
+ [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
- Signed-off-by: Robin Murphy <robin.murphy@arm.com>
- Cc: Arnd Bergmann <arnd@arndb.de>
- Cc: Marek Szyprowski <m.szyprowski@samsung.com>
- Cc: Sumit Semwal <sumit.semwal@linaro.org>
- Cc: Sakari Ailus <sakari.ailus@iki.fi>
- Cc: Russell King <rmk+kernel@arm.linux.org.uk>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ This is because we mistake a raw socket as a tcp socket.
+ We should check both sk->sk_type and sk->sk_protocol to ensure
+ it is a tcp socket.
+
+ Willem points out __skb_complete_tx_timestamp() needs to fix as well.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Acked-by: Willem de Bruijn <willemb@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- mm/dmapool.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/core/skbuff.c | 3 ++-
+ net/core/sock.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
-commit 96a101a9b4208a6e5f2a0db7599881142e70ba43
-Author: Greg Thelen <gthelen@google.com>
-Date: Thu Oct 1 15:37:05 2015 -0700
+commit bd6b3399804470a4ad8f34229469ca149dceba3d
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Fri Dec 18 14:22:01 2015 -0800
- memcg: make mem_cgroup_read_stat() unsigned
-
- mem_cgroup_read_stat() returns a page count by summing per cpu page
- counters. The summing is racy wrt. updates, so a transient negative
- sum is possible. Callers don't want negative values:
+ proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
- - mem_cgroup_wb_stats() doesn't want negative nr_dirty or nr_writeback.
- This could confuse dirty throttling.
+ Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit
+ 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed
+ the setting of ret after the get_proc_task call and incorrectly left it as
+ -ESRCH. Instead, return 0 when successful.
- - oom reports and memory.stat shouldn't show confusing negative usage.
+ Example breakage:
- - tree_usage() already avoids negatives.
+ echo 0 > /proc/self/coredump_filter
+ bash: echo: write error: No such process
- Avoid returning negative page counts from mem_cgroup_read_stat() and
- convert it to unsigned.
-
- [akpm@linux-foundation.org: fix old typo while we're in there]
- Signed-off-by: Greg Thelen <gthelen@google.com>
- Cc: Johannes Weiner <hannes@cmpxchg.org>
- Acked-by: Michal Hocko <mhocko@suse.com>
- Cc: <stable@vger.kernel.org> [4.2+]
+ Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()")
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Acked-by: Kees Cook <keescook@chromium.org>
+ Cc: <stable@vger.kernel.org> [4.3+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- mm/memcontrol.c | 30 ++++++++++++++++++------------
- 1 files changed, 18 insertions(+), 12 deletions(-)
-
-commit b7808c46650d5f4c09f071566de991af36eb9d37
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Fri Oct 2 12:06:03 2015 +0200
-
- bpf: fix panic in SO_GET_FILTER with native ebpf programs
-
- When sockets have a native eBPF program attached through
- setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to
- dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...),
- the following panic appears:
-
- [49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null)
- [49904.178762] IP: [<ffffffff81610fd9>] sk_get_filter+0x39/0x90
- [49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0
- [49904.185196] Oops: 0000 [#1] SMP
- [...]
- [49904.224677] Call Trace:
- [49904.226090] [<ffffffff815e3d49>] sock_getsockopt+0x319/0x740
- [49904.227535] [<ffffffff812f59e3>] ? sock_has_perm+0x63/0x70
- [49904.228953] [<ffffffff815e2fc8>] ? release_sock+0x108/0x150
- [49904.230380] [<ffffffff812f5a43>] ? selinux_socket_getsockopt+0x23/0x30
- [49904.231788] [<ffffffff815dff36>] SyS_getsockopt+0xa6/0xc0
- [49904.233267] [<ffffffff8171b9ae>] entry_SYSCALL_64_fastpath+0x12/0x71
-
- The underlying issue is the very same as in commit b382c0865600
- ("sock, diag: fix panic in sock_diag_put_filterinfo"), that is,
- native eBPF programs don't store an original program since this
- is only needed in cBPF ones.
-
- However, sk_get_filter() wasn't updated to test for this at the
- time when eBPF could be attached. Just throw an error to the user
- to indicate that eBPF cannot be dumped over this interface.
- That way, it can also be known that a program _is_ attached (as
- opposed to just return 0), and a different (future) method needs
- to be consulted for a dump.
-
- Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets")
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Acked-by: Alexei Starovoitov <ast@plumgrid.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- net/core/filter.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
+ fs/proc/base.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 40853c884afb5fc2dcb9f7fc34ef446162566fcc
-Author: Steve French <smfrench@gmail.com>
-Date: Mon Sep 28 17:21:07 2015 -0500
+commit b28aca2b99ed08546778355fb9402c503ff9b29e
+Author: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Tue Dec 22 10:23:44 2015 -0700
- [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
+ block: ensure to split after potentially bouncing a bio
- The error paths in set_file_size for cifs and smb3 are incorrect.
+ blk_queue_bio() does split then bounce, which makes the segment
+ counting based on pages before bouncing and could go wrong. Move
+ the split to after bouncing, like we do for blk-mq, and the we
+ fix the issue of having the bio count for segments be wrong.
- In the unlikely event that a server did not support set file info
- of the file size, the code incorrectly falls back to trying SMBWriteX
- (note that only the original core SMB Write, used for example by DOS,
- can set the file size this way - this actually does not work for the more
- recent SMBWriteX). The idea was since the old DOS SMB Write could set
- the file size if you write zero bytes at that offset then use that if
- server rejects the normal set file info call.
+ Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
+ Cc: stable@vger.kernel.org
+ Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
+ Signed-off-by: Jens Axboe <axboe@fb.com>
+
+ block/blk-core.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e62a25e917a9e5b35ddd5b4f1b5e5e30fbd2e84c
+Merge: f6f63ae ec72fa5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 22 19:46:26 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ec72fa5f8d9cb4e223bad1b8b5c2e1071c222f2a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 22 19:45:51 2015 -0500
+
+ Update to pax-linux-4.3.3-test13.patch:
+ - Emese fixed a (probably) false positive integer truncation in xfs_da_grow_inode_int, reported by jdkbx (http://forums.grsecurity.net/viewtopic.php?f=3&t=4346)
+ - fixed a size overflow in btrfs/try_merge_map, reported by Alex W (https://bugs.archlinux.org/task/47173) and mathias and dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4344)
+
+ arch/arm/mm/fault.c | 2 +-
+ arch/x86/mm/fault.c | 2 +-
+ fs/btrfs/extent_map.c | 8 ++++++--
+ fs/xfs/libxfs/xfs_da_btree.c | 4 +++-
+ 4 files changed, 11 insertions(+), 5 deletions(-)
+
+commit f6f63ae154cd45028add1dc41957878060d77fbf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 17 18:43:44 2015 -0500
+
+ ptrace_has_cap() checks whether the current process should be
+ treated as having a certain capability for ptrace checks
+ against another process. Until now, this was equivalent to
+ has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+ However, if a root-owned process wants to enter a user
+ namespace for some reason without knowing who owns it and
+ therefore can't change to the namespace owner's uid and gid
+ before entering, as soon as it has entered the namespace,
+ the namespace owner can attach to it via ptrace and thereby
+ gain access to its uid and gid.
+
+ While it is possible for the entering process to switch to
+ the uid of a claimed namespace owner before entering,
+ causing the attempt to enter to fail if the claimed uid is
+ wrong, this doesn't solve the problem of determining an
+ appropriate gid.
+
+ With this change, the entering process can first enter the
+ namespace and then safely inspect the namespace's
+ properties, e.g. through /proc/self/{uid_map,gid_map},
+ assuming that the namespace owner doesn't have access to
+ uid 0.
+ Signed-off-by: Jann Horn <jann@thejh.net>
+
+ kernel/ptrace.c | 30 +++++++++++++++++++++++++-----
+ 1 files changed, 25 insertions(+), 5 deletions(-)
+
+commit e314f0fb63020f61543b401ff594e953c2c304e5
+Author: tadeusz.struk@intel.com <tadeusz.struk@intel.com>
+Date: Tue Dec 15 10:46:17 2015 -0800
+
+ net: fix uninitialized variable issue
- Fortunately the SMBWriteX will never be sent on the wire (except when
- file size is zero) since the length and offset fields were reversed
- in the two places in this function that call SMBWriteX causing
- the fall back path to return an error. It is also important to never call
- an SMB request from an SMB2/sMB3 session (which theoretically would
- be possible, and can cause a brief session drop, although the client
- recovers) so this should be fixed. In practice this path does not happen
- with modern servers but the error fall back to SMBWriteX is clearly wrong.
+ msg_iocb needs to be initialized on the recv/recvfrom path.
+ Otherwise afalg will wrongly interpret it as an async call.
- Removing the calls to SMBWriteX in the error paths in cifs_set_file_size
+ Cc: stable@vger.kernel.org
+ Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+ Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a3f56a43ad56b8fcaf04f6327636ed2f5970de3b
+Merge: dfa764c 142edcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 21:01:17 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 142edcf1005a57fb8887823565cf0bafad2f313c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 21:00:57 2015 -0500
+
+ Update to pax-linux-4.3.3-test12.patch:
+ - Emese fixed a size overflow false positive in reiserfs/leaf_paste_entries, reported by Christian Apeltauer (https://bugs.gentoo.org/show_bug.cgi?id=568046)
+ - fixed a bunch of int/size_t mismatches in the drivers/tty/n_tty.c code causing size overflow false positives, reported by Toralf Förster, mathias (https://forums.grsecurity.net/viewtopic.php?f=3&t=4342), N8Fear (https://forums.grsecurity.net/viewtopic.php?f=3&t=4341)
+
+ drivers/tty/n_tty.c | 16 ++++++++--------
+ .../disable_size_overflow_hash.data | 2 ++
+ .../size_overflow_plugin/size_overflow_hash.data | 6 ++----
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+commit dfa764cc549892a5bfc1083cac78b99032cae577
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Dec 15 22:59:12 2015 +0100
+
+ ipv6: automatically enable stable privacy mode if stable_secret set
- Pointed out by PaX/grsecurity team
+ Bjørn reported that while we switch all interfaces to privacy stable mode
+ when setting the secret, we don't set this mode for new interfaces. This
+ does not make sense, so change this behaviour.
- Signed-off-by: Steve French <steve.french@primarydata.com>
- Reported-by: PaX Team <pageexec@freemail.hu>
- CC: Emese Revfy <re.emese@gmail.com>
- CC: Brad Spengler <spender@grsecurity.net>
- CC: Stable <stable@vger.kernel.org>
+ Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
+ Reported-by: Bjørn Mork <bjorn@mork.no>
+ Cc: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/addrconf.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
- fs/cifs/inode.c | 34 ----------------------------------
- 1 files changed, 0 insertions(+), 34 deletions(-)
+commit c2815a1fee03f222273e77c14e43f960da06f35a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 16 13:03:38 2015 -0500
+
+ Work around upstream limitation on the number of thread info flags causing a compilation error
+ Reported by fabled at http://forums.grsecurity.net/viewtopic.php?f=3&t=4339
+
+ arch/arm/kernel/entry-common.S | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
-commit f5fad97c967a08f4a89513969598b1d3c8232a38
+commit 8c9ae168e09ae49324d709d76d73d9fc4ca477e1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Oct 7 18:22:40 2015 -0400
+Date: Tue Dec 15 19:03:41 2015 -0500
- Initial import of grsecurity for Linux 4.2.3
- Note that size_overflow is currently marked BROKEN
+ Initial import of grsecurity 3.1 for Linux 4.3.3
Documentation/dontdiff | 2 +
Documentation/kernel-parameters.txt | 7 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arc/Kconfig | 1 +
arch/arm/Kconfig | 1 +
- arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/Kconfig.debug | 1 +
+ arch/arm/include/asm/thread_info.h | 7 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/ptrace.c | 9 +
arch/arm/kernel/traps.c | 7 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
arch/arm/net/bpf_jit_32.c | 51 +-
+ arch/arm64/Kconfig.debug | 1 +
arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/Kconfig.debug | 1 +
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/cris/include/arch-v32/arch/cache.h | 3 +-
arch/parisc/include/asm/cache.h | 5 +-
arch/parisc/kernel/sys_parisc.c | 4 +
arch/powerpc/Kconfig | 1 +
- arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/cache.h | 4 +-
arch/powerpc/include/asm/thread_info.h | 5 +-
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/irq.c | 3 +
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/slice.c | 2 +-
+ arch/s390/Kconfig.debug | 1 +
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
arch/x86/Kconfig | 21 +
+ arch/x86/Kconfig.debug | 2 +
+ arch/x86/entry/common.c | 14 +
arch/x86/entry/entry_32.S | 2 +-
arch/x86/entry/entry_64.S | 2 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/fpu/types.h | 69 +-
arch/x86/include/asm/io.h | 2 +-
arch/x86/include/asm/page.h | 12 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/include/asm/processor.h | 12 +-
+ arch/x86/include/asm/thread_info.h | 6 +-
+ arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/dumpstack.c | 10 +-
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
- arch/x86/kernel/espfix_64.c | 2 +-
- arch/x86/kernel/fpu/init.c | 4 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/irq_32.c | 3 +
arch/x86/kernel/irq_64.c | 4 +
arch/x86/kernel/ldt.c | 18 +
arch/x86/kernel/msr.c | 10 +
- arch/x86/kernel/ptrace.c | 28 +
+ arch/x86/kernel/ptrace.c | 14 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
arch/x86/kernel/traps.c | 5 +
arch/x86/kernel/verify_cpu.S | 1 +
- arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/kernel/vm86_32.c | 15 +
+ arch/x86/kvm/svm.c | 14 +-
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 2 +-
+ crypto/blkcipher.c | 2 +-
+ crypto/scatterwalk.c | 10 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/Kconfig | 4 +-
drivers/char/genrtc.c | 1 +
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 17 +
drivers/char/random.c | 5 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 2 -
+ drivers/crypto/nx/nx-aes-ccm.c | 2 +-
+ drivers/crypto/nx/nx-aes-gcm.c | 2 +-
+ drivers/crypto/talitos.c | 2 +-
drivers/firewire/ohci.c | 4 +
- drivers/gpu/drm/drm_context.c | 50 +-
- drivers/gpu/drm/drm_drv.c | 11 +-
- drivers/gpu/drm/drm_lock.c | 18 +-
- drivers/gpu/drm/i915/i915_dma.c | 2 +
- drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +-
- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 70 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/iommu/Kconfig | 1 +
drivers/iommu/amd_iommu.c | 14 +-
drivers/isdn/gigaset/bas-gigaset.c | 32 +-
drivers/isdn/gigaset/ser-gigaset.c | 32 +-
drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 +-
drivers/isdn/i4l/isdn_concap.c | 6 +-
drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/md/bcache/Kconfig | 1 +
drivers/md/raid5.c | 8 +
drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/media/platform/sti/c8sectpfe/Kconfig | 1 +
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
drivers/media/radio/radio-cadet.c | 5 +-
drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +-
drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +-
drivers/message/fusion/mptbase.c | 9 +
drivers/misc/sgi-xp/xp_main.c | 12 +-
drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
+ drivers/net/ppp/pppoe.c | 14 +-
+ drivers/net/ppp/pptp.c | 6 +
+ drivers/net/slip/slhc.c | 3 +
drivers/net/wan/lmc/lmc_media.c | 97 +-
+ drivers/net/wan/x25_asy.c | 6 +-
drivers/net/wan/z85230.c | 24 +-
+ drivers/net/wireless/ath/ath9k/Kconfig | 1 -
drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/pci-sysfs.c | 2 +-
drivers/pci/proc.c | 9 +
drivers/platform/x86/asus-wmi.c | 12 +
drivers/rtc/rtc-dev.c | 3 +
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
drivers/scsi/hpsa.h | 40 +-
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
- drivers/staging/sm750fb/sm750.c | 3 +
+ drivers/target/target_core_sbc.c | 17 +-
+ drivers/target/target_core_transport.c | 14 +-
drivers/tty/serial/uartlite.c | 4 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
firmware/WHENCE | 20 +-
firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++
firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++
+ fs/9p/vfs_inode.c | 4 +-
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
- fs/binfmt_elf.c | 40 +-
+ fs/binfmt_elf.c | 50 +-
fs/compat.c | 20 +-
fs/coredump.c | 17 +-
fs/dcache.c | 3 +
fs/debugfs/inode.c | 11 +-
- fs/exec.c | 218 +-
+ fs/exec.c | 219 +-
fs/ext2/balloc.c | 4 +-
fs/ext2/super.c | 8 +-
- fs/ext3/balloc.c | 4 +-
- fs/ext3/super.c | 8 +-
fs/ext4/balloc.c | 4 +-
fs/fcntl.c | 4 +
fs/fhandle.c | 3 +-
fs/inode.c | 8 +-
fs/kernfs/dir.c | 6 +
fs/mount.h | 4 +-
- fs/namei.c | 285 +-
+ fs/namei.c | 286 +-
fs/namespace.c | 24 +
fs/nfsd/nfscache.c | 2 +-
fs/open.c | 38 +
- fs/overlayfs/inode.c | 3 +
+ fs/overlayfs/inode.c | 11 +-
fs/overlayfs/super.c | 6 +-
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
- fs/proc/array.c | 66 +-
- fs/proc/base.c | 168 +-
+ fs/proc/array.c | 69 +-
+ fs/proc/base.c | 186 +-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
fs/proc/internal.h | 11 +-
fs/proc/interrupts.c | 4 +
fs/proc/kcore.c | 3 +
+ fs/proc/meminfo.c | 7 +-
+ fs/proc/namespaces.c | 4 +-
fs/proc/proc_net.c | 31 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/reiserfs/super.c | 4 +
fs/select.c | 2 +
fs/seq_file.c | 30 +-
+ fs/splice.c | 8 +
fs/stat.c | 20 +-
fs/sysfs/dir.c | 30 +-
+ fs/sysv/inode.c | 11 +-
fs/utimes.c | 7 +
fs/xattr.c | 26 +-
grsecurity/Kconfig | 1182 ++++
grsecurity/grsec_tpe.c | 78 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 64 +
- include/drm/drmP.h | 23 +-
include/linux/binfmts.h | 5 +-
+ include/linux/bitops.h | 2 +-
include/linux/capability.h | 13 +
include/linux/compiler-gcc.h | 5 +
include/linux/compiler.h | 8 +
include/linux/grdefs.h | 140 +
include/linux/grinternal.h | 230 +
include/linux/grmsg.h | 118 +
- include/linux/grsecurity.h | 249 +
+ include/linux/grsecurity.h | 255 +
include/linux/grsock.h | 19 +
include/linux/ipc.h | 2 +-
include/linux/ipc_namespace.h | 2 +-
include/linux/mm_types.h | 4 +-
include/linux/module.h | 5 +-
include/linux/mount.h | 2 +-
+ include/linux/msg.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/printk.h | 2 +-
include/linux/proc_fs.h | 22 +-
include/linux/proc_ns.h | 2 +-
+ include/linux/ptrace.h | 24 +-
include/linux/random.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
include/linux/scatterlist.h | 12 +-
- include/linux/sched.h | 110 +-
- include/linux/security.h | 3 +-
+ include/linux/sched.h | 114 +-
+ include/linux/security.h | 1 +
+ include/linux/sem.h | 2 +-
include/linux/seq_file.h | 5 +
include/linux/shm.h | 6 +-
include/linux/skbuff.h | 3 +
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
- include/linux/vmalloc.h | 8 +
+ include/linux/vmalloc.h | 20 +-
include/net/af_unix.h | 2 +-
+ include/net/dst.h | 33 +
include/net/ip.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 2 +-
- include/net/sock.h | 2 +-
+ include/net/sock.h | 4 +-
+ include/target/target_core_base.h | 2 +-
include/trace/events/fs.h | 53 +
- include/uapi/drm/i915_drm.h | 1 +
include/uapi/linux/personality.h | 1 +
- init/Kconfig | 3 +-
+ init/Kconfig | 4 +-
init/main.c | 35 +-
ipc/mqueue.c | 1 +
- ipc/msg.c | 14 +-
- ipc/shm.c | 36 +-
- ipc/util.c | 14 +-
+ ipc/msg.c | 3 +-
+ ipc/sem.c | 3 +-
+ ipc/shm.c | 26 +-
+ ipc/util.c | 6 +
kernel/auditsc.c | 2 +-
kernel/bpf/syscall.c | 8 +-
kernel/capability.c | 41 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
kernel/cred.c | 112 +-
- kernel/events/core.c | 14 +-
+ kernel/events/core.c | 16 +-
kernel/exit.c | 10 +-
kernel/fork.c | 86 +-
- kernel/futex.c | 4 +-
+ kernel/futex.c | 6 +-
+ kernel/futex_compat.c | 2 +-
kernel/kallsyms.c | 9 +
- kernel/kcmp.c | 4 +
- kernel/kexec.c | 2 +-
+ kernel/kcmp.c | 8 +-
+ kernel/kexec_core.c | 2 +-
kernel/kmod.c | 95 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
kernel/module.c | 108 +-
kernel/panic.c | 4 +-
- kernel/pid.c | 19 +-
+ kernel/pid.c | 23 +-
kernel/power/Kconfig | 2 +
- kernel/printk/printk.c | 7 +-
- kernel/ptrace.c | 20 +-
+ kernel/printk/printk.c | 20 +-
+ kernel/ptrace.c | 56 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 11 +-
kernel/signal.c | 37 +-
kernel/sys.c | 64 +-
- kernel/sysctl.c | 180 +-
+ kernel/sysctl.c | 172 +-
kernel/taskstats.c | 6 +
kernel/time/posix-timers.c | 8 +
kernel/time/time.c | 5 +
kernel/time/timekeeping.c | 3 +
kernel/time/timer_list.c | 13 +-
kernel/time/timer_stats.c | 10 +-
+ kernel/trace/Kconfig | 2 +
kernel/trace/trace_syscalls.c | 8 +
kernel/user_namespace.c | 15 +
- lib/Kconfig.debug | 7 +-
+ lib/Kconfig.debug | 13 +-
+ lib/Kconfig.kasan | 2 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
lib/nlattr.c | 2 +
lib/rbtree.c | 4 +-
lib/vsprintf.c | 39 +-
localversion-grsec | 1 +
- mm/Kconfig | 5 +-
+ mm/Kconfig | 8 +-
mm/Kconfig.debug | 1 +
mm/filemap.c | 1 +
- mm/hugetlb.c | 8 +
mm/kmemleak.c | 4 +-
mm/memory.c | 2 +-
mm/mempolicy.c | 12 +-
mm/mlock.c | 6 +-
mm/mmap.c | 93 +-
mm/mprotect.c | 8 +
+ mm/oom_kill.c | 28 +-
mm/page_alloc.c | 2 +-
- mm/process_vm_access.c | 6 +
- mm/shmem.c | 2 +-
- mm/slab.c | 27 +-
+ mm/process_vm_access.c | 8 +-
+ mm/shmem.c | 36 +-
+ mm/slab.c | 14 +-
mm/slab_common.c | 2 +-
mm/slob.c | 12 +
mm/slub.c | 33 +-
mm/util.c | 3 +
- mm/vmalloc.c | 80 +-
+ mm/vmalloc.c | 129 +-
mm/vmstat.c | 29 +-
net/appletalk/atalk_proc.c | 2 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
+ net/bluetooth/sco.c | 3 +
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/dev_ioctl.c | 7 +-
net/core/sysctl_net_core.c | 2 +-
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 6 +-
- net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/inet_hashtables.c | 4 +
net/ipv4/ip_input.c | 7 +
net/ipv4/ip_sockglue.c | 3 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
+ net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
net/ipv4/route.c | 6 +-
net/ipv4/tcp_input.c | 4 +-
- net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_ipv4.c | 29 +-
net/ipv4/tcp_minisocks.c | 9 +-
net/ipv4/tcp_timer.c | 11 +
net/ipv4/udp.c | 24 +
net/ipv6/addrconf.c | 13 +-
net/ipv6/proc.c | 2 +-
- net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/tcp_ipv6.c | 26 +-
net/ipv6/udp.c | 7 +
net/ipx/ipx_proc.c | 2 +-
net/irda/irproc.c | 2 +-
net/netfilter/xt_gradm.c | 51 +
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
- net/socket.c | 71 +-
+ net/sched/sch_api.c | 2 +-
+ net/sctp/socket.c | 4 +-
+ net/socket.c | 75 +-
+ net/sunrpc/Kconfig | 1 +
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/sysctl_net.c | 2 +-
net/x25/sysctl_net_x25.c | 2 +-
net/x25/x25_proc.c | 2 +-
scripts/package/Makefile | 2 +-
- scripts/package/mkspec | 38 +-
- security/Kconfig | 370 +-
+ scripts/package/mkspec | 41 +-
+ security/Kconfig | 369 +-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
- security/commoncap.c | 29 +
+ security/commoncap.c | 36 +-
security/min_addr.c | 2 +
+ security/smack/smack_lsm.c | 8 +-
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
security/tomoyo/tomoyo.c | 20 +-
security/yama/Kconfig | 2 +-
+ security/yama/yama_lsm.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
sound/usb/line6/driver.c | 40 +-
sound/usb/line6/toneport.c | 12 +-
tools/gcc/gen-random-seed.sh | 8 +
tools/gcc/randomize_layout_plugin.c | 930 +++
tools/gcc/size_overflow_plugin/.gitignore | 1 +
- .../size_overflow_plugin/size_overflow_hash.data | 320 +-
- 466 files changed, 32295 insertions(+), 2907 deletions(-)
+ .../size_overflow_plugin/size_overflow_hash.data | 459 ++-
+ 511 files changed, 32631 insertions(+), 3196 deletions(-)
-commit fc19197ab5a42069863a7d88f1d41eb687697fe9
+commit a76adb92ce39aee8eec5a025c828030ad6135c6d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 20:43:51 2015 -0400
+Date: Tue Dec 15 14:31:49 2015 -0500
- Update to pax-linux-4.2.3-test6.patch:
- - fixed a KERNEXEC/x86 and early ioremap regression, reported by spender
- - sanitized a few more top level page table entries on amd64
+ Update to pax-linux-4.3.3-test11.patch:
+ - fixed a few compile regressions with the recent plugin changes, reported by spender
+ - updated the size overflow hash table
- arch/x86/kernel/espfix_64.c | 2 +-
- arch/x86/kernel/head_64.S | 8 ++++----
- arch/x86/mm/ioremap.c | 6 +++++-
- 3 files changed, 10 insertions(+), 6 deletions(-)
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 66 +++++++++++++++++---
+ tools/gcc/stackleak_plugin.c | 2 +-
+ tools/gcc/structleak_plugin.c | 6 +--
+ 4 files changed, 60 insertions(+), 16 deletions(-)
-commit 23ac5415b9ef394e10b1516d3b314c742c6a3e59
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 17:47:37 2015 -0400
-
- Resync with pax-linux-4.2.3-test5.patch
-
- arch/x86/include/asm/pgtable-2level.h | 20 ++++++++++++++++----
- arch/x86/include/asm/pgtable-3level.h | 8 ++++++++
- arch/x86/include/asm/pgtable_32.h | 2 --
- arch/x86/include/asm/pgtable_64.h | 20 ++++++++++++++++----
- arch/x86/mm/highmem_32.c | 2 --
- arch/x86/mm/init_64.c | 2 --
- arch/x86/mm/iomap_32.c | 4 ----
- arch/x86/mm/ioremap.c | 2 +-
- arch/x86/mm/pgtable.c | 2 --
- arch/x86/mm/pgtable_32.c | 3 ---
- mm/highmem.c | 6 +-----
- mm/vmalloc.c | 12 +-----------
- .../size_overflow_plugin/size_overflow_hash.data | 2 --
- 13 files changed, 43 insertions(+), 42 deletions(-)
-
-commit 25f4bed80f0d87783793a70d6c20080031a1fd38
+commit f7284b1fc06628fcb2d35d2beecdea5454d46af9
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Oct 4 13:06:32 2015 -0400
-
- Update to pax-linux-4.2.3-test5.patch:
- - forward port to 4.2.3
- - fixed integer sign conversion errors caused by ieee80211_tx_rate_control.max_rate_idx, caught by the size overflow plugin
- - fixed a bug in try_preserve_large_page that caused unnecessary large page split ups
- - increased the number of statically allocated kernel page tables under KERNEXEC/amd64
-
- arch/x86/include/asm/pgtable-2level.h | 2 ++
- arch/x86/include/asm/pgtable-3level.h | 5 +++++
- arch/x86/include/asm/pgtable_64.h | 2 ++
- arch/x86/kernel/cpu/bugs_64.c | 2 ++
- arch/x86/kernel/head_64.S | 28 +++++++++++++++++++++++-----
- arch/x86/kernel/vmlinux.lds.S | 8 +++++++-
- arch/x86/mm/init.c | 18 ++++++++++++++----
- arch/x86/mm/ioremap.c | 8 ++++++--
- arch/x86/mm/pageattr.c | 5 ++---
- arch/x86/mm/pgtable.c | 2 ++
- include/asm-generic/sections.h | 1 +
- include/asm-generic/vmlinux.lds.h | 2 ++
- include/net/mac80211.h | 2 +-
- mm/vmalloc.c | 7 ++++++-
- 14 files changed, 75 insertions(+), 17 deletions(-)
-
-commit a2dce7cb2e3c389b7ef6c76c15ccdbf506007ddd
-Merge: d113ff6 fcba09f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Oct 3 09:12:31 2015 -0400
+Date: Tue Dec 15 11:50:24 2015 -0500
+
+ Apply structleak ICE fix for gcc < 4.9
- Merge branch 'linux-4.2.y' into pax-test
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
-commit d113ff6e7835e89e2b954503b1a100750ddb43c7
+commit 92fe3eb9fd10ec7f7334decab1526989669b0287
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu Oct 1 21:34:12 2015 -0400
-
- Update to pax-linux-4.2.2-test5.patch:
- - fixed a RANDKSTACK regression, reported by spender
- - fixed some more compiler warnings due to the ktla_ktva changes, reported by spender
-
- arch/x86/entry/entry_64.S | 2 ++
- arch/x86/kernel/process.c | 1 +
- drivers/hv/hv.c | 2 +-
- drivers/lguest/x86/core.c | 4 ++--
- drivers/misc/kgdbts.c | 4 ++--
- drivers/video/fbdev/uvesafb.c | 4 ++--
- fs/binfmt_elf_fdpic.c | 2 +-
- 7 files changed, 11 insertions(+), 8 deletions(-)
-
-commit 149e32a4dddfae46e2490f011870cd4492ca946c
+Date: Tue Dec 15 07:57:06 2015 -0500
+
+ Update to pax-linux-4.3.1-test10.patch:
+ - Emese fixed INDIRECT_REF and TARGET_MEM_REF handling in the initify plugin
+ - Emese regenerated the size overflow hash tables for 4.3
+ - fixed some compat syscall exit paths to restore r12 under KERNEXEC/or
+ - the latent entropy, stackleak and structleak plugins no longer split the entry block unnecessarily
+
+ arch/x86/entry/entry_64.S | 2 +-
+ arch/x86/entry/entry_64_compat.S | 15 +-
+ scripts/package/builddeb | 2 +-
+ tools/gcc/initify_plugin.c | 11 +-
+ tools/gcc/latent_entropy_plugin.c | 20 +-
+ .../disable_size_overflow_hash.data | 4 +
+ .../size_overflow_plugin/size_overflow_hash.data | 5345 +++++++++++---------
+ tools/gcc/stackleak_plugin.c | 26 +-
+ tools/gcc/structleak_plugin.c | 21 +-
+ 9 files changed, 3079 insertions(+), 2367 deletions(-)
+
+commit 5bd245cb687319079c2f1c0d6a1170791ed1ed2c
+Merge: b5847e6 3548341
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 16:31:50 2015 -0400
+Date: Tue Dec 15 07:47:56 2015 -0500
- Update to pax-linux-4.2.2-test4.patch:
- - fixed a few compiler warnings caused by the recently reworked ktla_ktva/ktva_ktla functions, reported by spender
- - Emese fixed a size overflow false positive in the IDE driver, reported by spender
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ net/unix/af_unix.c
- arch/x86/lib/insn.c | 2 +-
- drivers/ide/ide-disk.c | 2 +-
- drivers/video/fbdev/vesafb.c | 4 ++--
- fs/binfmt_elf.c | 2 +-
- .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
- .../size_overflow_transform_core.c | 11 +++++------
- 6 files changed, 12 insertions(+), 13 deletions(-)
-
-commit 02c41b848fbaddf82ce98690b23d3d85a94d55fe
-Merge: b8b2f5b 7659db3
+commit b5847e6a896c5d99191135ca4d7c3b6be8f116ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 9 23:11:36 2015 -0500
+
+ Update to pax-linux-4.3.1-test9.patch:
+ - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332)
+ - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333)
+ - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334)
+ - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336)
+ - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes <linux@rasmusvillemoes.dk>
+ - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause <minipli@ld-linux.so>
+ - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856
+
+ Makefile | 6 +
+ arch/x86/include/asm/compat.h | 4 +
+ arch/x86/include/asm/dma.h | 2 +
+ arch/x86/include/asm/pmem.h | 2 +-
+ arch/x86/include/asm/uaccess.h | 20 +-
+ arch/x86/kernel/apic/vector.c | 6 +-
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 28 +-
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kvm/i8259.c | 10 +-
+ arch/x86/kvm/ioapic.c | 2 +
+ arch/x86/kvm/x86.c | 2 +
+ arch/x86/lib/usercopy_64.c | 2 +-
+ arch/x86/mm/mpx.c | 4 +-
+ arch/x86/mm/pageattr.c | 7 +
+ drivers/base/devres.c | 4 +-
+ drivers/base/power/runtime.c | 6 +-
+ drivers/base/regmap/regmap.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/block/drbd/drbd_worker.c | 6 +-
+ drivers/char/virtio_console.c | 6 +-
+ drivers/md/dm.c | 12 +-
+ drivers/net/ethernet/nvidia/forcedeth.c | 4 +-
+ drivers/net/macvtap.c | 4 +-
+ drivers/video/fbdev/core/fbmem.c | 10 +-
+ fs/compat.c | 3 +-
+ fs/coredump.c | 2 +-
+ fs/dcache.c | 13 +-
+ fs/fhandle.c | 2 +-
+ fs/file.c | 14 +-
+ fs/fs-writeback.c | 11 +-
+ fs/overlayfs/copy_up.c | 2 +-
+ fs/readdir.c | 3 +-
+ fs/super.c | 3 +-
+ include/linux/compiler.h | 36 ++-
+ include/linux/rcupdate.h | 8 +
+ include/linux/sched.h | 4 +-
+ include/linux/seqlock.h | 10 +
+ include/linux/spinlock.h | 17 +-
+ include/linux/srcu.h | 5 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/writeback.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ ipc/ipc_sysctl.c | 6 +
+ kernel/exit.c | 25 +-
+ kernel/resource.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/user.c | 2 +-
+ kernel/workqueue.c | 6 +-
+ lib/rhashtable.c | 4 +-
+ net/compat.c | 2 +-
+ net/ipv4/xfrm4_mode_transport.c | 2 +-
+ security/keys/internal.h | 8 +-
+ security/keys/keyring.c | 4 -
+ sound/core/seq/seq_clientmgr.c | 8 +-
+ sound/core/seq/seq_compat.c | 2 +-
+ sound/core/seq/seq_memory.c | 6 +-
+ tools/gcc/checker_plugin.c | 415 +++++++++++++++++++-
+ tools/gcc/gcc-common.h | 1 +
+ tools/gcc/initify_plugin.c | 33 ++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ 62 files changed, 708 insertions(+), 140 deletions(-)
+
+commit f2634c2f6995f4231616f24ed016f890c701f939
+Merge: 1241bff 5f8b236
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 15:50:40 2015 -0400
+Date: Wed Dec 9 21:50:47 2015 -0500
- Merge branch 'linux-4.2.y' into pax-test
+ Merge branch 'linux-4.3.y' into pax-4_3
Conflicts:
- fs/nfs/inode.c
+ arch/x86/kernel/fpu/xstate.c
+ arch/x86/kernel/head_64.S
-commit b8b2f5bc93ced0ca9a8366d0f3fa09abd1ca7ac6
+commit 1241bff82e3d7dadb05de0a60b8d2822afc6547c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Sep 29 09:13:54 2015 -0400
+Date: Sun Dec 6 08:44:56 2015 -0500
+
+ Update to pax-linux-4.3-test8.patch:
+ - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328)
+ - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger
+ - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329)
+ - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331)
+
+ Makefile | 5 +++
+ drivers/md/md.c | 5 ++-
+ drivers/md/raid1.c | 2 +-
+ fs/proc/task_mmu.c | 3 ++
+ .../disable_size_overflow_hash.data | 4 ++-
+ .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++---
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 8 files changed, 43 insertions(+), 12 deletions(-)
+
+commit cce6a9f9bdd27096632ca1c0246dcc07f2eb1a18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 4 14:24:12 2015 -0500
- Initial import of pax-linux-4.2.1-test3.patch
+ Initial import of pax-linux-4.3-test7.patch
Documentation/dontdiff | 47 +-
Documentation/kbuild/makefiles.txt | 39 +-
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
- arch/arm/include/asm/atomic.h | 319 +-
- arch/arm/include/asm/barrier.h | 2 +-
+ arch/arm/include/asm/atomic.h | 320 +-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
arch/arm/include/asm/cmpxchg.h | 4 +
arch/arm/include/asm/cpuidle.h | 2 +-
- arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/domain.h | 22 +-
arch/arm/include/asm/elf.h | 9 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/pgtable-2level.h | 3 +
arch/arm/include/asm/pgtable-3level.h | 3 +
arch/arm/include/asm/pgtable.h | 54 +-
- arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
- arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/tls.h | 3 +
- arch/arm/include/asm/uaccess.h | 100 +-
+ arch/arm/include/asm/uaccess.h | 79 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
- arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/armksyms.c | 2 +-
arch/arm/kernel/cpuidle.c | 2 +-
- arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-armv.S | 109 +-
arch/arm/kernel/entry-common.S | 40 +-
- arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/entry-header.S | 55 +
arch/arm/kernel/fiq.c | 3 +
- arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/module-plts.c | 7 +-
arch/arm/kernel/module.c | 38 +-
arch/arm/kernel/patch.c | 2 +
arch/arm/kernel/process.c | 90 +-
- arch/arm/kernel/psci.c | 2 +-
arch/arm/kernel/reboot.c | 1 +
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
- arch/arm/kernel/traps.c | 6 +-
arch/arm/kernel/vmlinux.lds.S | 6 +-
- arch/arm/kvm/arm.c | 10 +-
- arch/arm/lib/clear_user.S | 6 +-
- arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/kvm/arm.c | 8 +-
arch/arm/lib/copy_page.S | 1 +
- arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
- arch/arm/lib/uaccess_with_memcpy.c | 8 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 4 +-
arch/arm/mach-exynos/suspend.c | 6 +-
arch/arm/mach-mvebu/coherency.c | 4 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
arch/arm/mach-shmobile/platsmp-apmu.c | 5 +-
- arch/arm/mach-shmobile/pm-r8a7740.c | 5 +-
- arch/arm/mach-shmobile/pm-sh73a0.c | 5 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
arch/arm/mach-tegra/irq.c | 1 +
arch/arm/mach-ux500/pm.c | 1 +
arch/arm/mm/init.c | 39 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
- arch/arm/mm/mmu.c | 182 +-
+ arch/arm/mm/mmu.c | 162 +-
arch/arm/net/bpf_jit_32.c | 3 +
arch/arm/plat-iop/setup.c | 2 +-
arch/arm/plat-omap/sram.c | 2 +
arch/arm64/include/asm/atomic.h | 10 +
- arch/arm64/include/asm/barrier.h | 2 +-
arch/arm64/include/asm/percpu.h | 8 +-
arch/arm64/include/asm/pgalloc.h | 5 +
arch/arm64/include/asm/uaccess.h | 1 +
arch/frv/mm/elf-fdpic.c | 3 +-
arch/ia64/Makefile | 1 +
arch/ia64/include/asm/atomic.h | 10 +
- arch/ia64/include/asm/barrier.h | 2 +-
arch/ia64/include/asm/elf.h | 7 +
arch/ia64/include/asm/pgalloc.h | 12 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/mm/fault.c | 32 +-
arch/ia64/mm/init.c | 15 +-
arch/m32r/lib/usercopy.c | 6 +
- arch/metag/include/asm/barrier.h | 2 +-
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
- arch/mips/include/asm/atomic.h | 355 +-
- arch/mips/include/asm/barrier.h | 2 +-
+ arch/mips/include/asm/atomic.h | 368 +-
arch/mips/include/asm/elf.h | 7 +
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/uaccess.h | 1 +
arch/mips/kernel/binfmt_elfn32.c | 7 +
arch/mips/kernel/binfmt_elfo32.c | 7 +
- arch/mips/kernel/i8259.c | 2 +-
arch/mips/kernel/irq-gt641xx.c | 2 +-
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/pm-cps.c | 2 +-
arch/mips/kernel/process.c | 12 -
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
- arch/mips/kvm/mips.c | 2 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/parisc/kernel/traps.c | 4 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 329 +-
- arch/powerpc/include/asm/barrier.h | 2 +-
arch/powerpc/include/asm/elf.h | 12 +
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/traps.c | 21 +
arch/powerpc/kernel/vdso.c | 5 +-
- arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
arch/powerpc/mm/fault.c | 56 +-
arch/powerpc/mm/mmap.c | 16 +
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
- arch/s390/include/asm/barrier.h | 2 +-
arch/s390/include/asm/elf.h | 7 +
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 13 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/atomic_64.h | 110 +-
- arch/sparc/include/asm/barrier_64.h | 2 +-
arch/sparc/include/asm/cache.h | 2 +-
arch/sparc/include/asm/elf_32.h | 7 +
arch/sparc/include/asm/elf_64.h | 7 +
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
- arch/x86/entry/calling.h | 92 +-
- arch/x86/entry/entry_32.S | 360 +-
- arch/x86/entry/entry_64.S | 636 +-
+ arch/x86/entry/calling.h | 86 +-
+ arch/x86/entry/common.c | 13 +-
+ arch/x86/entry/entry_32.S | 351 +-
+ arch/x86/entry/entry_64.S | 619 +-
arch/x86/entry/entry_64_compat.S | 159 +-
arch/x86/entry/thunk_64.S | 2 +
arch/x86/entry/vdso/Makefile | 2 +-
- arch/x86/entry/vdso/vdso2c.h | 4 +-
+ arch/x86/entry/vdso/vdso2c.h | 8 +-
arch/x86/entry/vdso/vma.c | 41 +-
arch/x86/entry/vsyscall/vsyscall_64.c | 16 +-
+ arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
arch/x86/ia32/ia32_signal.c | 23 +-
arch/x86/ia32/sys_ia32.c | 42 +-
arch/x86/include/asm/alternative-asm.h | 43 +-
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
- arch/x86/include/asm/atomic.h | 269 +-
+ arch/x86/include/asm/atomic.h | 230 +-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 164 +-
- arch/x86/include/asm/barrier.h | 4 +-
arch/x86/include/asm/bitops.h | 18 +-
arch/x86/include/asm/boot.h | 2 +-
arch/x86/include/asm/cache.h | 5 +-
arch/x86/include/asm/div64.h | 2 +-
arch/x86/include/asm/elf.h | 33 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
- arch/x86/include/asm/fpu/internal.h | 36 +-
- arch/x86/include/asm/fpu/types.h | 5 +-
+ arch/x86/include/asm/fpu/internal.h | 42 +-
+ arch/x86/include/asm/fpu/types.h | 6 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
arch/x86/include/asm/mmu.h | 14 +-
- arch/x86/include/asm/mmu_context.h | 138 +-
+ arch/x86/include/asm/mmu_context.h | 114 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 19 +-
arch/x86/include/asm/page.h | 1 +
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
- arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable-3level.h | 7 +
arch/x86/include/asm/pgtable.h | 128 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
arch/x86/include/asm/pgtable_32_types.h | 24 +-
- arch/x86/include/asm/pgtable_64.h | 22 +-
+ arch/x86/include/asm/pgtable_64.h | 23 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 26 +-
arch/x86/include/asm/preempt.h | 2 +-
- arch/x86/include/asm/processor.h | 59 +-
- arch/x86/include/asm/ptrace.h | 21 +-
- arch/x86/include/asm/qrwlock.h | 4 +-
+ arch/x86/include/asm/processor.h | 57 +-
+ arch/x86/include/asm/ptrace.h | 13 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
arch/x86/kernel/alternative.c | 124 +-
arch/x86/kernel/apic/apic.c | 4 +-
- arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 6 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
arch/x86/kernel/apic/msi.c | 2 +-
- arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/probe_32.c | 4 +-
arch/x86/kernel/apic/vector.c | 4 +-
- arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 2 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
arch/x86/kernel/apm_32.c | 21 +-
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/bugs_64.c | 2 +
arch/x86/kernel/cpu/common.c | 202 +-
arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +-
- arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 34 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
- arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
- arch/x86/kernel/cpuid.c | 2 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
arch/x86/kernel/dumpstack.c | 24 +-
arch/x86/kernel/dumpstack_64.c | 62 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
- arch/x86/kernel/espfix_64.c | 13 +-
- arch/x86/kernel/fpu/core.c | 22 +-
- arch/x86/kernel/fpu/init.c | 8 +-
+ arch/x86/kernel/espfix_64.c | 44 +-
+ arch/x86/kernel/fpu/core.c | 24 +-
+ arch/x86/kernel/fpu/init.c | 40 +-
arch/x86/kernel/fpu/regset.c | 22 +-
arch/x86/kernel/fpu/signal.c | 20 +-
arch/x86/kernel/fpu/xstate.c | 8 +-
arch/x86/kernel/ftrace.c | 18 +-
arch/x86/kernel/head64.c | 14 +-
arch/x86/kernel/head_32.S | 235 +-
- arch/x86/kernel/head_64.S | 149 +-
+ arch/x86/kernel/head_64.S | 173 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/kprobes/core.c | 28 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
+ arch/x86/kernel/kvmclock.c | 20 +-
arch/x86/kernel/ldt.c | 25 +
arch/x86/kernel/livepatch.c | 12 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
- arch/x86/kernel/process.c | 71 +-
- arch/x86/kernel/process_32.c | 30 +-
- arch/x86/kernel/process_64.c | 19 +-
+ arch/x86/kernel/process.c | 80 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 14 +-
arch/x86/kernel/ptrace.c | 20 +-
arch/x86/kernel/pvclock.c | 8 +-
arch/x86/kernel/reboot.c | 44 +-
arch/x86/kernel/tsc.c | 2 +-
arch/x86/kernel/uprobes.c | 2 +-
arch/x86/kernel/vm86_32.c | 6 +-
- arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vmlinux.lds.S | 153 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
arch/x86/kvm/cpuid.c | 21 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
- arch/x86/kvm/svm.c | 8 +
- arch/x86/kvm/vmx.c | 82 +-
- arch/x86/kvm/x86.c | 44 +-
+ arch/x86/kvm/svm.c | 10 +-
+ arch/x86/kvm/vmx.c | 62 +-
+ arch/x86/kvm/x86.c | 42 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
arch/x86/lib/atomic64_cx8_32.S | 98 +-
- arch/x86/lib/checksum_32.S | 97 +-
+ arch/x86/lib/checksum_32.S | 99 +-
arch/x86/lib/clear_page_64.S | 3 +
arch/x86/lib/cmpxchg16b_emu.S | 3 +
arch/x86/lib/copy_page_64.S | 14 +-
arch/x86/mm/extable.c | 26 +-
arch/x86/mm/fault.c | 570 +-
arch/x86/mm/gup.c | 6 +-
- arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/highmem_32.c | 6 +
arch/x86/mm/hugetlbpage.c | 24 +-
- arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init.c | 111 +-
arch/x86/mm/init_32.c | 111 +-
arch/x86/mm/init_64.c | 46 +-
arch/x86/mm/iomap_32.c | 4 +
- arch/x86/mm/ioremap.c | 44 +-
+ arch/x86/mm/ioremap.c | 52 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
arch/x86/mm/mmap.c | 40 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
- arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pageattr.c | 38 +-
arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
- arch/x86/mm/pgtable.c | 162 +-
+ arch/x86/mm/pgtable.c | 214 +-
arch/x86/mm/pgtable_32.c | 3 +
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/um/mem_32.c | 2 +-
arch/x86/um/tls_32.c | 2 +-
arch/x86/xen/enlighten.c | 50 +-
- arch/x86/xen/mmu.c | 17 +-
+ arch/x86/xen/mmu.c | 19 +-
arch/x86/xen/smp.c | 16 +-
arch/x86/xen/xen-asm_32.S | 2 +-
arch/x86/xen/xen-head.S | 11 +
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
- crypto/zlib.c | 4 +-
+ crypto/zlib.c | 12 +-
drivers/acpi/acpi_video.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/device_pm.c | 4 +-
drivers/acpi/ec.c | 2 +-
drivers/acpi/pci_slot.c | 2 +-
- drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/processor_idle.c | 2 +-
drivers/acpi/processor_pdc.c | 2 +-
drivers/acpi/sleep.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
drivers/acpi/thermal.c | 2 +-
drivers/acpi/video_detect.c | 7 +-
- drivers/ata/libahci.c | 2 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/ata/libata.h | 2 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
+ drivers/base/platform-msi.c | 20 +-
drivers/base/power/domain.c | 11 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
+ drivers/base/regmap/regmap-debugfs.c | 11 +-
drivers/base/syscore.c | 4 +-
drivers/block/cciss.c | 28 +-
drivers/block/cciss.h | 2 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 2 +-
drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 12 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/random.c | 12 +-
drivers/char/sonypi.c | 11 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
- drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/tpm/tpm_eventlog.c | 4 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
drivers/clk/samsung/clk.h | 2 +-
drivers/clk/socfpga/clk-gate.c | 9 +-
drivers/clk/socfpga/clk-pll.c | 9 +-
+ drivers/clk/ti/clk.c | 8 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
drivers/cpufreq/cpufreq-dt.c | 4 +-
- drivers/cpufreq/cpufreq.c | 26 +-
+ drivers/cpufreq/cpufreq.c | 30 +-
drivers/cpufreq/cpufreq_governor.c | 2 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/firmware/google/gsmi.c | 2 +-
drivers/firmware/google/memconsole.c | 7 +-
drivers/firmware/memmap.c | 2 +-
+ drivers/firmware/psci.c | 2 +-
drivers/gpio/gpio-davinci.c | 6 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
drivers/gpio/gpio-omap.c | 4 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
- drivers/gpio/gpiolib.c | 13 +-
+ drivers/gpio/gpiolib.c | 12 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +-
drivers/gpu/drm/drm_ioctl.c | 2 +-
drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
- drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
- drivers/gpu/drm/i915/i915_gem_gtt.c | 32 +-
- drivers/gpu/drm/i915/i915_gem_gtt.h | 16 +-
- drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +-
- drivers/gpu/drm/i915/i915_ioc32.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.h | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 10 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
drivers/gpu/drm/udl/udl_fb.c | 1 -
drivers/gpu/drm/via/via_drv.h | 4 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
- drivers/gpu/drm/virtio/virtgpu_debugfs.c | 2 +-
- drivers/gpu/drm/virtio/virtgpu_fence.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hwmon/sht15.c | 12 +-
drivers/hwmon/via-cputemp.c | 2 +-
drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
+ drivers/ide/ide-disk.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
drivers/iio/magnetometer/ak8975.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
drivers/infiniband/core/uverbs_cmd.c | 3 +
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/infiniband/hw/mlx4/mad.c | 2 +-
drivers/infiniband/hw/mlx4/mcg.c | 2 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
drivers/input/touchscreen/htcpen.c | 2 +-
+ drivers/iommu/arm-smmu-v3.c | 2 +-
drivers/iommu/arm-smmu.c | 43 +-
drivers/iommu/io-pgtable-arm.c | 101 +-
drivers/iommu/io-pgtable.c | 11 +-
drivers/iommu/ipmmu-vmsa.c | 13 +-
drivers/iommu/irq_remapping.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
+ drivers/irqchip/irq-i8259.c | 2 +-
drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
- drivers/md/raid10.c | 16 +-
+ drivers/md/raid10.c | 18 +-
drivers/md/raid5.c | 22 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/af9033.h | 2 +-
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/wm5110-tables.c | 2 +-
+ drivers/mfd/wm8998-tables.c | 2 +-
drivers/misc/c2port/core.c | 4 +-
- drivers/misc/eeprom/sunxi_sid.c | 4 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +-
- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
drivers/net/ethernet/via/via-rhine.c | 2 +-
+ drivers/net/geneve.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
drivers/net/ifb.c | 2 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/sierra_net.c | 4 +-
drivers/net/virtio_net.c | 2 +-
+ drivers/net/vrf.c | 2 +-
drivers/net/vxlan.c | 4 +-
drivers/net/wimax/i2400m/rx.c | 2 +-
drivers/net/wireless/airo.c | 2 +-
drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/ce.c | 6 +-
drivers/net/wireless/ath/ath10k/htc.c | 7 +-
drivers/net/wireless/ath/ath10k/htc.h | 4 +-
drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +-
drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +-
drivers/net/wireless/ath/ath9k/hw.h | 4 +-
drivers/net/wireless/ath/ath9k/main.c | 22 +-
+ drivers/net/wireless/ath/wil6210/wil_platform.h | 2 +-
drivers/net/wireless/b43/phy_lp.c | 2 +-
drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
drivers/oprofile/oprofile_stats.c | 10 +-
drivers/oprofile/oprofile_stats.h | 10 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/pci/hotplug/cpqphp_nvram.c | 2 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
- drivers/pci/msi.c | 21 +-
+ drivers/pci/msi.c | 22 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/pci/probe.c | 2 +-
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +-
drivers/pinctrl/pinctrl-at91.c | 5 +-
drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/alienware-wmi.c | 4 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
drivers/scsi/lpfc/lpfc_init.c | 6 +-
drivers/scsi/lpfc/lpfc_scsi.c | 10 +-
+ drivers/scsi/megaraid/megaraid_sas.h | 2 +-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
drivers/scsi/pmcraid.c | 20 +-
drivers/scsi/pmcraid.h | 8 +-
drivers/scsi/sr.c | 21 +-
drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
drivers/spi/spi.c | 2 +-
- drivers/spi/spidev.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
drivers/staging/comedi/comedi_fops.c | 8 +-
drivers/staging/fbtft/fbtft-core.c | 2 +-
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
- drivers/staging/lustre/lustre/libcfs/module.c | 6 +-
- drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet-rx.c | 20 +-
drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rdma/ipath/ipath_rc.c | 6 +-
+ drivers/staging/rdma/ipath/ipath_ruc.c | 6 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
drivers/staging/sm750fb/sm750.c | 14 +-
drivers/staging/unisys/visorbus/visorbus_private.h | 4 +-
drivers/target/sbp/sbp_target.c | 4 +-
- drivers/target/target_core_device.c | 2 +-
- drivers/target/target_core_transport.c | 2 +-
drivers/thermal/cpu_cooling.c | 9 +-
drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +-
drivers/thermal/of-thermal.c | 17 +-
drivers/tty/ipwireless/tty.c | 27 +-
drivers/tty/moxa.c | 2 +-
drivers/tty/n_gsm.c | 4 +-
- drivers/tty/n_tty.c | 5 +-
+ drivers/tty/n_tty.c | 3 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
drivers/tty/serial/8250/8250_core.c | 10 +-
drivers/uio/uio.c | 13 +-
drivers/usb/atm/cxacru.c | 2 +-
drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/class/cdc-acm.h | 2 +-
drivers/usb/core/devices.c | 6 +-
- drivers/usb/core/devio.c | 10 +-
+ drivers/usb/core/devio.c | 12 +-
drivers/usb/core/hcd.c | 4 +-
- drivers/usb/core/message.c | 6 +-
drivers/usb/core/sysfs.c | 2 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/host/xhci.c | 2 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/transport.c | 2 +-
drivers/usb/storage/usb.c | 2 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/usbip/vhci.h | 2 +-
drivers/vfio/vfio.c | 2 +-
drivers/vhost/vringh.c | 20 +-
drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
drivers/video/fbdev/aty/aty128fb.c | 2 +-
drivers/video/fbdev/aty/atyfb_base.c | 8 +-
drivers/video/fbdev/aty/mach64_cursor.c | 5 +-
fs/autofs4/waitq.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
- fs/binfmt_elf.c | 672 +-
- fs/binfmt_elf_fdpic.c | 2 +-
+ fs/binfmt_elf.c | 670 +-
+ fs/binfmt_elf_fdpic.c | 4 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
- fs/btrfs/delayed-inode.c | 6 +-
- fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/delayed-inode.c | 9 +-
+ fs/btrfs/delayed-inode.h | 6 +-
+ fs/btrfs/file.c | 10 +-
+ fs/btrfs/inode.c | 14 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/sysfs.c | 2 +-
fs/btrfs/tests/free-space-tests.c | 8 +-
fs/ecryptfs/miscdev.c | 2 +-
fs/exec.c | 362 +-
fs/ext2/xattr.c | 5 +-
- fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
- fs/ext4/mmp.c | 2 +-
fs/ext4/resize.c | 16 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/squashfs/xattr.c | 12 +-
fs/sysv/sysv.h | 2 +-
fs/tracefs/inode.c | 8 +-
- fs/ubifs/io.c | 2 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
+ fs/userfaultfd.c | 2 +-
fs/xattr.c | 21 +
fs/xfs/libxfs/xfs_bmap.c | 2 +-
fs/xfs/xfs_dir2_readdir.c | 7 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_linux.h | 4 +-
include/asm-generic/4level-fixup.h | 2 +
- include/asm-generic/atomic-long.h | 214 +-
+ include/asm-generic/atomic-long.h | 156 +-
include/asm-generic/atomic64.h | 12 +
- include/asm-generic/barrier.h | 2 +-
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
include/asm-generic/pgtable-nopmd.h | 18 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/sections.h | 1 +
include/asm-generic/uaccess.h | 16 +
- include/asm-generic/vmlinux.lds.h | 13 +-
+ include/asm-generic/vmlinux.lds.h | 15 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
- include/linux/atomic.h | 2 +-
+ include/linux/atomic.h | 17 +-
include/linux/audit.h | 2 +-
+ include/linux/average.h | 2 +-
include/linux/binfmts.h | 3 +-
include/linux/bitmap.h | 2 +-
include/linux/bitops.h | 8 +-
include/linux/clk-provider.h | 1 +
include/linux/compat.h | 6 +-
include/linux/compiler-gcc.h | 28 +-
- include/linux/compiler.h | 95 +-
- include/linux/completion.h | 12 +-
+ include/linux/compiler.h | 157 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
include/linux/irq.h | 5 +-
include/linux/irqdesc.h | 2 +-
include/linux/irqdomain.h | 3 +
- include/linux/jiffies.h | 30 +-
- include/linux/kernel.h | 2 +-
+ include/linux/jiffies.h | 16 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
include/linux/kmemleak.h | 4 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
- include/linux/kvm_host.h | 4 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
include/linux/lockref.h | 26 +-
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
- include/linux/mm.h | 104 +-
+ include/linux/mm.h | 102 +-
include/linux/mm_types.h | 20 +
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/ppp-comp.h | 2 +-
include/linux/preempt.h | 21 +
include/linux/proc_ns.h | 2 +-
+ include/linux/psci.h | 2 +-
include/linux/quota.h | 2 +-
- include/linux/random.h | 23 +-
+ include/linux/random.h | 19 +-
include/linux/rculist.h | 16 +
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
- include/linux/sched.h | 74 +-
+ include/linux/sched.h | 72 +-
include/linux/sched/sysctl.h | 1 +
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/signal.h | 2 +-
- include/linux/skbuff.h | 10 +-
+ include/linux/skbuff.h | 12 +-
include/linux/slab.h | 47 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swapops.h | 10 +-
include/linux/swiotlb.h | 3 +-
include/linux/syscalls.h | 21 +-
include/linux/syscore_ops.h | 2 +-
include/linux/uaccess.h | 6 +-
include/linux/uio_driver.h | 2 +-
include/linux/unaligned/access_ok.h | 24 +-
- include/linux/usb.h | 6 +-
+ include/linux/usb.h | 12 +-
include/linux/usb/hcd.h | 1 +
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/net/inetpeer.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
+ include/net/ipv6.h | 2 +-
include/net/irda/ircomm_tty.h | 1 +
include/net/iucv/af_iucv.h | 2 +-
include/net/llc_c_ac.h | 2 +-
include/net/llc_c_st.h | 2 +-
include/net/llc_s_ac.h | 2 +-
include/net/llc_s_st.h | 2 +-
- include/net/mac80211.h | 2 +-
+ include/net/mac80211.h | 4 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 18 +-
include/net/netlink.h | 2 +-
include/scsi/sg.h | 2 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
- include/target/target_core_base.h | 2 +-
include/trace/events/irq.h | 4 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
- kernel/fork.c | 165 +-
+ kernel/fork.c | 167 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
kernel/irq/manage.c | 2 +-
- kernel/irq/msi.c | 20 +-
+ kernel/irq/msi.c | 19 +-
kernel/irq/spurious.c | 2 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 37 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 6 +-
- kernel/locking/rtmutex-tester.c | 24 +-
kernel/module.c | 422 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/ptrace.c | 8 +-
kernel/rcu/rcutorture.c | 60 +-
kernel/rcu/tiny.c | 4 +-
- kernel/rcu/tree.c | 66 +-
- kernel/rcu/tree.h | 26 +-
+ kernel/rcu/tree.c | 44 +-
+ kernel/rcu/tree.h | 14 +-
kernel/rcu/tree_plugin.h | 14 +-
- kernel/rcu/tree_trace.c | 22 +-
+ kernel/rcu/tree_trace.c | 12 +-
kernel/sched/auto_group.c | 4 +-
- kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
kernel/sched/fair.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/time/alarmtimer.c | 2 +-
kernel/time/posix-cpu-timers.c | 4 +-
kernel/time/posix-timers.c | 24 +-
- kernel/time/timer.c | 4 +-
+ kernel/time/timer.c | 2 +-
kernel/time/timer_stats.c | 10 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 15 +-
kernel/user_namespace.c | 2 +-
kernel/utsname_sysctl.c | 2 +-
kernel/watchdog.c | 2 +-
- kernel/workqueue.c | 4 +-
+ kernel/workqueue.c | 2 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
- lib/average.c | 2 +-
- lib/bitmap.c | 10 +-
+ lib/bitmap.c | 8 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
lib/decompress_bunzip2.c | 3 +-
lib/vsprintf.c | 12 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
+ mm/debug.c | 3 +
mm/filemap.c | 2 +-
mm/gup.c | 13 +-
- mm/highmem.c | 7 +-
+ mm/highmem.c | 6 +-
mm/hugetlb.c | 70 +-
- mm/internal.h | 3 +-
+ mm/internal.h | 1 +
mm/maccess.c | 4 +-
mm/madvise.c | 37 +
- mm/memory-failure.c | 34 +-
- mm/memory.c | 425 +-
+ mm/memory-failure.c | 6 +-
+ mm/memory.c | 424 +-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
mm/mm_init.c | 2 +-
mm/mmap.c | 582 +-
mm/mprotect.c | 137 +-
- mm/mremap.c | 44 +-
+ mm/mremap.c | 39 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
mm/page_alloc.c | 49 +-
mm/swap.c | 2 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
- mm/vmalloc.c | 112 +-
+ mm/vmalloc.c | 114 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/8021q/vlan_netlink.c | 2 +-
net/core/net_namespace.c | 8 +-
net/core/netpoll.c | 4 +-
net/core/rtnetlink.c | 15 +-
- net/core/scm.c | 8 +-
+ net/core/scm.c | 14 +-
net/core/skbuff.c | 8 +-
net/core/sock.c | 28 +-
net/core/sock_diag.c | 15 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
- net/ipv6/addrconf.c | 16 +-
+ net/ipv6/addrconf.c | 18 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/ipv6/sit.c | 4 +-
net/ipv6/sysctl_net_ipv6.c | 2 +-
net/ipv6/udp.c | 6 +-
- net/ipv6/xfrm6_policy.c | 23 +-
+ net/ipv6/xfrm6_policy.c | 17 +-
net/irda/ircomm/ircomm_tty.c | 18 +-
net/iucv/af_iucv.c | 4 +-
net/iucv/iucv.c | 2 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/openvswitch/vport-internal_dev.c | 2 +-
- net/openvswitch/vport.c | 16 +-
- net/openvswitch/vport.h | 8 +-
net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/svc.c | 4 +-
- net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
scripts/Kbuild.include | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
- scripts/Makefile.host | 63 +-
+ scripts/Makefile.host | 69 +-
scripts/basic/fixdep.c | 12 +-
scripts/dtc/checks.c | 14 +-
scripts/dtc/data.c | 6 +-
scripts/pnmtologo.c | 6 +-
scripts/sortextable.h | 6 +-
scripts/tags.sh | 2 +-
- security/Kconfig | 691 +-
+ security/Kconfig | 692 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
sound/pci/hda/hda_codec.c | 2 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/codecs/sti-sas.c | 10 +-
sound/soc/soc-ac97.c | 6 +-
sound/soc/xtensa/xtfpga-i2s.c | 2 +-
tools/gcc/Makefile | 42 +
tools/gcc/checker_plugin.c | 150 +
tools/gcc/colorize_plugin.c | 215 +
- tools/gcc/constify_plugin.c | 564 +
- tools/gcc/gcc-common.h | 790 +
- tools/gcc/initify_plugin.c | 450 +
+ tools/gcc/constify_plugin.c | 571 +
+ tools/gcc/gcc-common.h | 812 +
+ tools/gcc/initify_plugin.c | 552 +
tools/gcc/kallocstat_plugin.c | 188 +
- tools/gcc/kernexec_plugin.c | 551 +
+ tools/gcc/kernexec_plugin.c | 549 +
tools/gcc/latent_entropy_plugin.c | 470 +
tools/gcc/size_overflow_plugin/.gitignore | 2 +
- tools/gcc/size_overflow_plugin/Makefile | 26 +
- .../disable_size_overflow_hash.data |11008 ++++++++++++++
+ tools/gcc/size_overflow_plugin/Makefile | 28 +
+ .../disable_size_overflow_hash.data |12422 ++++++++++++
.../generate_size_overflow_hash.sh | 103 +
- .../insert_size_overflow_asm.c | 409 +
- .../size_overflow_plugin/intentional_overflow.c | 980 ++
+ .../insert_size_overflow_asm.c | 416 +
+ .../size_overflow_plugin/intentional_overflow.c | 1010 +
.../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
- tools/gcc/size_overflow_plugin/size_overflow.h | 329 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 192 +
- .../size_overflow_plugin/size_overflow_hash.data |15719 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin/size_overflow.h | 323 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 +
+ .../size_overflow_plugin/size_overflow_hash.data |20735 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1373 ++
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1226 ++
.../gcc/size_overflow_plugin/size_overflow_misc.c | 505 +
.../size_overflow_plugin/size_overflow_plugin.c | 318 +
- .../size_overflow_plugin_hash.c | 353 +
- .../size_overflow_plugin/size_overflow_transform.c | 576 +
- .../size_overflow_transform_core.c | 962 ++
+ .../size_overflow_plugin_hash.c | 352 +
+ .../size_overflow_plugin/size_overflow_transform.c | 749 +
+ .../size_overflow_transform_core.c | 1010 +
tools/gcc/stackleak_plugin.c | 436 +
tools/gcc/structleak_plugin.c | 287 +
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
tools/virtio/linux/uaccess.h | 2 +-
- virt/kvm/kvm_main.c | 44 +-
- 1963 files changed, 60342 insertions(+), 8946 deletions(-)
+ virt/kvm/kvm_main.c | 42 +-
+ 1944 files changed, 66925 insertions(+), 8949 deletions(-)