+commit 489fa0be1ea2ce2665611bc315f229486c64dbc5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 27 23:19:52 2016 -0400
+
+ Historically we did not trigger a BUG() on REFCOUNT violations due to the risk
+ of false positives, some of which took months or longer to exhibit themselves.
+ Initially, in fact, there was no task killing at all involved due to the risk of
+ a legitimate increment following a full set of intentional "leaky" increments
+ causing the wrong process to be killed and the wrong user to be banned (or a
+ panic ensuing). These risks were also weighed against the risk documented in
+ the REFCOUNT blog and elsewhere of a race on x86 where the refcount could
+ surpass INT_MAX. Regardless of whether the race is practical or not (and ways
+ of addressing that race are already mentioned in the REFCOUNT blog) given the
+ recent development of a GCC plugin to proactively tease out false positives
+ mentioned above, it's safe enough now to simply BUG() on refcount overflow
+ attempts. This handles both the race case as well as the case of atomic_t being
+ used when atomic64_t is really necessary to be able to express the full amount
+ of object references (when grsecurity's kernel bruteforce defense is enabled as
+ it is by default).
+
+ Suggested by Jann Horn at: http://www.openwall.com/lists/kernel-hardening/2016/06/25/2
+
+ fs/exec.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+commit 0fb349e90e9de1d35ab4e7cd33b0f230b30c340f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 27 17:14:06 2016 -0400
+
+ Fix a UAF only triggerable by privileged root processes on the
+ short-lived delayed_cred pointer by grabbing a reference where
+ applicable at fork time -- not a security issue
+ Thanks to Jann Horn for the report
+
+ kernel/fork.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+commit 6eb392861c72839f7af44d0e57927f362a2a0df5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 18:07:05 2016 -0400
+
+ compile fix
+
+ fs/posix_acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 1eed3a4206abdd68b35537dcff1b1832b28d4617
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed Jun 22 19:43:35 2016 +0100
+
+ nfsd: check permissions when setting ACLs
+
+ Use set_posix_acl, which includes proper permission checks, instead of
+ calling ->set_acl directly. Without this anyone may be able to grant
+ themselves permissions to a file by setting the ACL.
+
+ Lock the inode to make the new checks atomic with respect to set_acl.
+ (Also, nfsd was the only caller of set_acl not locking the inode, so I
+ suspect this may fix other races.)
+
+ This also simplifies the code, and ensures our ACLs are checked by
+ posix_acl_valid.
+
+ The permission checks and the inode locking were lost with commit
+ 4ac7249e, which changed nfsd to use the set_acl inode operation directly
+ instead of going through xattr handlers.
+
+ Reported-by: David Sinquin <david@sinquin.eu>
+ [agreunba@redhat.com: use set_posix_acl]
+ Fixes: 4ac7249e
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs2acl.c | 20 ++++++++++----------
+ fs/nfsd/nfs3acl.c | 16 +++++++---------
+ fs/nfsd/nfs4acl.c | 16 ++++++++--------
+ 3 files changed, 25 insertions(+), 27 deletions(-)
+
+commit d5be7c0c7a8e0408e9faf62dcaaf2471fe19d3a0
+Author: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Wed Jun 22 23:57:25 2016 +0200
+
+ posix_acl: Add set_posix_acl
+
+ Factor out part of posix_acl_xattr_set into a common function that takes
+ a posix_acl, which nfsd can also call.
+
+ The prototype already exists in include/linux/posix_acl.h.
+
+ Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+ Cc: stable@vger.kernel.org
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/posix_acl.c | 46 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+commit 5d722e6ce47a1c1987e862c84c4b56ddbc4423de
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 17:33:38 2016 -0400
+
+ Fix ICE caused by duplicate plugin loads from the recent plugin
+ infrastructure changes
+
+ init/Makefile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+commit 278d24df4f61ab171288187e6952ace4a82d42dc
+Merge: 0c59418 83e55cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 12:40:25 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83e55cbeedfb0b8712de995457c395b1ba8fe936
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 26 12:11:40 2016 -0400
+
+ Update to pax-linux-4.5.7-test16.patch:
+ - imported a few more gcc plugin infrastructure changes from Emese's upstreaming work
+
+ .gitignore | 1 +
+ Makefile | 1 +
+ drivers/hv/hv.c | 2 +-
+ fs/namespace.c | 3 +-
+ include/linux/init.h | 4 +-
+ scripts/Makefile | 3 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.gcc-plugins | 5 ++-
+ scripts/Makefile.host | 7 ++-
+ scripts/gcc-plugins/Makefile | 54 +++++++----------------
+ scripts/gcc-plugins/rap_plugin/Makefile | 2 +
+ scripts/gcc-plugins/size_overflow_plugin/Makefile | 2 +
+ 12 files changed, 39 insertions(+), 48 deletions(-)
+
+commit 0c59418c05aa82cc46806b2b9b324d44ad5f043b
+Author: Scott Bauer <sbauer@plzdonthack.me>
+Date: Thu Jun 23 08:59:47 2016 -0600
+
+ HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
+
+ This patch validates the num_values parameter from userland during the
+ HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
+ to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
+ leading to a heap overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+
+ drivers/hid/usbhid/hiddev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+commit 6c4919ead98c7342acecbd28f781dd2c3a37be4e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 25 07:22:44 2016 -0400
+
+ fix typo
+
+ scripts/Makefile.gcc-plugins | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 44fc4dd89969440d883528361bf65e6e82e35b49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 19:37:20 2016 -0400
+
+ RANDSTRUCT compile fix
+
+ drivers/gpu/drm/amd/powerplay/hwmgr/fiji_thermal.c | 20 ++++++++++----------
+ drivers/gpu/drm/amd/powerplay/hwmgr/tonga_thermal.c | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+commit 08022b387ddd8856d39ace5d6f92636c7d1b422a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 19:22:39 2016 -0400
+
+ RANDSTRUCT compile fix
+
+ .../drm/amd/powerplay/hwmgr/cz_clockpowergating.c | 12 +++--
+ drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 58 +++++++++++-----------
+ 2 files changed, 38 insertions(+), 32 deletions(-)
+
+commit f48aea278530eb71ce2f9a24dc9e245f29d530ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 18:52:19 2016 -0400
+
+ compile fix
+
+ drivers/hv/hv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 1ce67be0c2ccf325fc5110ee052a8d0b08f09959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:45:26 2016 -0400
+
+ Add missing entries for RANDSTRUCT to scripts/Makefile.gcc-plugins
+ Bug introduced during 4.5 port during merging with upstream bikeshedding
+ scripts/gcc-plugins/Makefile was updated properly, but scripts/Makefile.gcc-plugins was not
+ This unfortunately means RANDSTRUCT was silently not enabled for all of the 4.5 patches to date
+
+ scripts/Makefile.gcc-plugins | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+commit 6bf5265035d4617a1ef7845e7915389e1c65647b
+Merge: c881b58 542e9e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:01:33 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 542e9e9a75e654b7e352025ecc67c6a2f98d8ea2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 24 17:00:25 2016 -0400
+
+ Update to pax-linux-4.5.7-test14.patch:
+ - synchronized with Emese's gcc plugin related changes headed upstream
+ - fixed a REFCOUNT false positive in nf_conntrack_init_net, reported by minipli
+ - fixed a regression in the recent Hyper-V support under !KERNEXEC
+
+ Makefile | 9 ---------
+ arch/x86/entry/vdso/vma.c | 2 +-
+ drivers/hv/hv.c | 2 +-
+ include/linux/compiler-gcc.h | 2 ++
+ include/linux/init.h | 8 +-------
+ include/linux/random.h | 8 ++++----
+ mm/page_alloc.c | 8 +++++---
+ net/netfilter/nf_conntrack_core.c | 4 ++--
+ scripts/Kbuild.include | 10 +++++++---
+ scripts/Makefile.gcc-plugins | 31 ++++++++++++++++++++++++-------
+ scripts/gcc-plugin.sh | 14 ++++++++++++++
+ security/Kconfig | 3 ++-
+ 12 files changed, 63 insertions(+), 38 deletions(-)
+
+commit c881b58ba51680e30758c1ea12058cd76c578672
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 19:27:11 2016 -0400
+
+ compile fix
+
+ arch/x86/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 6f889875e9f23d3d5a4751d09cc47f6e39eb9e1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:37:53 2016 -0400
+
+ Don't bother further restricting /dev/mem when GRKERNSEC_KMEM is disabled,
+ fixes tboot use
+ Reported by Mark van Dijk
+ Previous MSR problem was also reported by Mark van Dijk
+
+ arch/x86/mm/init.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+commit 1b99e76b8f41a8495ff085ffccab0e1bc8abed59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 17:22:14 2016 -0400
+
+ Whitelist writes to MSR_IA32_ENERGY_PERF_BIAS
+
+ arch/x86/kernel/msr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+commit 8c013d99d311850cade58ed5f9da05fb7f2c2873
+Merge: 33e588f 9b2decf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:27 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9b2decf0bccddae6e630a2548d53d2a9718891a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 22 07:46:03 2016 -0400
+
+ Update to pax-linux-4.5.7-test13.patch:
+ - fixed a bad function pointer cast in dma_buf_show caught by RAP, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bad function type in the intel cstate sysfs code caught by RAP, reported by sth0R (https://forums.grsecurity.net/viewtopic.php?f=3&t=4497)
+ - worked around an intentional integer overflow in the PCI resource sizing code caught by the size overflow plugin, reported by kysse/Ville Vuorinen
+ - fixed an integer underflow in the ELF coredump code caught by the size overflow plugin, reported by Dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4495)
+ - fixed Hyper-V's hypercall page allocation to work under !KERNEXEC as well, reported by btnet (https://forums.grsecurity.net/viewtopic.php?f=3&t=3911), based on an idea by Pablo Sole (https://bugs.alpinelinux.org/issues/1021#note-27)
+ - fixed a REFCOUNT false positive in wpan_phy_new
+
+ arch/x86/include/asm/pgtable_64.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_cstate.c | 6 +++---
+ arch/x86/kernel/head_64.S | 10 ++++++++--
+ arch/x86/xen/mmu.c | 10 ++++++++--
+ drivers/dma-buf/dma-buf.c | 5 ++---
+ drivers/hv/hv.c | 23 +++++++----------------
+ drivers/pci/setup-bus.c | 8 ++++++--
+ fs/exec.c | 4 ++--
+ include/linux/types.h | 2 ++
+ net/ieee802154/core.c | 6 +++---
+ 10 files changed, 42 insertions(+), 34 deletions(-)
+
+commit 33e588f130c19cac089c2b0d70c939bee84ba812
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 17 20:15:46 2016 -0400
+
+ Update KSTACKOVERFLOW dependency, update documentation
+
+ grsecurity/Kconfig | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d877624a8034129afc61dcc0f6127d69ee7a08d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 15 06:28:18 2016 -0400
+
+ Backport fix for http://seclists.org/oss-sec/2016/q2/553
+
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 39c61be367e5f1e1e0a08592ab3b23e71779ac9f
+Merge: c63d655 66f9687
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:37 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 66f968756cfcc3ab040ad99deb570fb445108fb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 14 18:19:04 2016 -0400
+
+ Update to pax-linux-4.5.5-test12.patch:
+ - fixed a KERNEXEC regression when writing to /proc/sys/kernel/watchdog_cpumask, reported by shadowdaemon
+ - Emese worked around a gcc induced intentional integer overflow in jfs that triggered a size overflow report, reported by g66 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4486)
+ - Emese relicensed the size overflow plugin to GPLv2 only
+ - Emese added size overflow coverage for vmnet in the hash tables, reported by Shawn <citypw@gmail.com>
+ - Emese enhanced the latent entropy in various ways (https://github.com/ephox-gcc-plugins/latent_entropy/commits/master)
+ - fixed pax_sanitize_slab=off for kmalloc and boot caches, by Mathias Krause <minipli@ld-linux.so>
+ - eliminated the memory overhead of SLUB sanitization, by Mathias Krause <minipli@ld-linux.so>
+
+ kernel/smpboot.c | 3 +
+ mm/slab.c | 2 +
+ mm/slab.h | 15 +
+ mm/slab_common.c | 7 -
+ mm/slob.c | 2 +
+ mm/slub.c | 8 +-
+ scripts/gcc-plugins/latent_entropy_plugin.c | 361 +++++++++++++++------
+ .../disable_size_overflow_hash.data | 1 +
+ .../insert_size_overflow_asm.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 2 +-
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 2 +-
+ .../size_overflow_plugin/size_overflow_debug.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ .../size_overflow_hash_aux.data | 5 +
+ .../size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ .../size_overflow_plugin/size_overflow_misc.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin_hash.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 2 +-
+ .../size_overflow_transform_core.c | 2 +-
+ 20 files changed, 310 insertions(+), 115 deletions(-)
+
+commit c63d655907910533ed9d50671e98774b4b797578
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between synchronous map extension and chunk destruction
+
+ For non-atomic allocations, pcpu_alloc() can try to extend the area
+ map synchronously after dropping pcpu_lock; however, the extension
+ wasn't synchronized against chunk destruction and the chunk might get
+ freed while extension is in progress.
+
+ This patch fixes the bug by putting most of non-atomic allocations
+ under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
+ is responsible for async chunk management including destruction.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
+
+ mm/percpu.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+commit 63442a31da7b33c5d6ab80254a2af78616b91aa8
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed May 25 11:48:25 2016 -0400
+
+ percpu: fix synchronization between chunk->map_extend_work and chunk destruction
+
+ Atomic allocations can trigger async map extensions which is serviced
+ by chunk->map_extend_work. pcpu_balance_work which is responsible for
+ destroying idle chunks wasn't synchronizing properly against
+ chunk->map_extend_work and may end up freeing the chunk while the work
+ item is still in flight.
+
+ This patch fixes the bug by rolling async map extension operations
+ into pcpu_balance_work.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+ Reported-by: Vlastimil Babka <vbabka@suse.cz>
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Cc: stable@vger.kernel.org # v3.18+
+ Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
+
+ mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+commit 7187611ba0d834ec7db27904c0cdf07bc9bc7d8f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 19:54:40 2016 -0400
+
+ Only bother establishing the PTEs for the vmap'd stack on creation
+
+ fs/exec.c | 1 -
+ include/linux/sched.h | 9 ++++-----
+ kernel/fork.c | 3 ++-
+ kernel/sched/core.c | 2 --
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+commit a6e150dfb383fcb4c8d5294c59f2d21425ff9f72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 11 13:18:33 2016 -0400
+
+ Work around upstream's use of probe_kernel_address in alignment handling
+ which uses KERNEL_DS but wants to access userland memory directly --
+ not allowed by PaX. Reported by jotik
+
+ arch/arm/mm/alignment.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+commit 1646af929d2465bc7a21a3c180de677e0b0b7950
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:09:12 2016 +1000
+
+ xfs: mark reclaimed inodes invalid earlier
+
+ The last thing we do before using call_rcu() on an xfs_inode to be
+ freed is mark it as invalid. This means there is a window between
+ when we know for certain that the inode is going to be freed and
+ when we do actually mark it as "freed".
+
+ This is important in the context of RCU lookups - we can look up the
+ inode, find that it is valid, and then use it as such not realising
+ that it is in the final stages of being freed.
+
+ As such, mark the inode as being invalid the moment we know it is
+ going to be reclaimed. This can be done while we still hold the
+ XFS_ILOCK_EXCL and the flush lock in xfs_inode_reclaim, meaning that
+ it occurs well before we remove it from the radix tree, and that
+ the i_flags_lock, the XFS_ILOCK and the inode flush lock all act as
+ synchronisation points for detecting that an inode is about to go
+ away.
+
+ For defensive purposes, this allows us to add a further check to
+ xfs_iflush_cluster to ensure we skip inodes that are being freed
+ after we grab the XFS_ILOCK_SHARED and the flush lock - we know that
+ if the inode number if valid while we have these locks held we know
+ that it has not progressed through reclaim to the point where it is
+ clean and is about to be freed.
+
+ [bfoster: fixed __xfs_inode_clear_reclaim() using ip->i_ino after it
+ had already been zeroed.]
+
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 46 ++++++++++++++++++++++++++++++++++------------
+ fs/xfs/xfs_inode.c | 13 +++++++++++++
+ 2 files changed, 47 insertions(+), 12 deletions(-)
+
+commit 096f3d24e77f4cd8fe50008623b26c89cb00ccda
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Wed May 18 14:01:53 2016 +1000
+
+ xfs: xfs_inode_free() isn't RCU safe
+
+ The xfs_inode freed in xfs_inode_free() has multiple allocated
+ structures attached to it. We free these in xfs_inode_free() before
+ we mark the inode as invalid, and before we run call_rcu() to queue
+ the structure for freeing.
+
+ Unfortunately, this freeing can race with other accesses that are in
+ the RCU current grace period that have found the inode in the radix
+ tree with a valid state. This includes xfs_iflush_cluster(), which
+ calls xfs_inode_clean(), and that accesses the inode log item on the
+ xfs_inode.
+
+ The log item structure is freed in xfs_inode_free(), so there is the
+ possibility we can be accessing freed memory in xfs_iflush_cluster()
+ after validating the xfs_inode structure as being valid for this RCU
+ context. Hence we can get spuriously incorrect clean state returned
+ from such checks. This can lead to use thinking the inode is dirty
+ when it is, in fact, clean, and so incorrectly attaching it to the
+ buffer for IO and completion processing.
+
+ This then leads to use-after-free situations on the xfs_inode itself
+ if the IO completes after the current RCU grace period expires. The
+ buffer callbacks will access the xfs_inode and try to do all sorts
+ of things it shouldn't with freed memory.
+
+ IOWs, xfs_iflush_cluster() only works correctly when racing with
+ inode reclaim if the inode log item is present and correctly stating
+ the inode is clean. If the inode is being freed, then reclaim has
+ already made sure the inode is clean, and hence xfs_iflush_cluster
+ can skip it. However, we are accessing the inode inode under RCU
+ read lock protection and so also must ensure that all dynamically
+ allocated memory we reference in this context is not freed until the
+ RCU grace period expires.
+
+ To fix this, move all the potential memory freeing into
+ xfs_inode_free_callback() so that we are guarantee RCU protected
+ lookup code will always have the memory structures it needs
+ available during the RCU grace period that lookup races can occur
+ in.
+
+ Discovered-by: Brain Foster <bfoster@redhat.com>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Christoph Hellwig <hch@lst.de>
+ Signed-off-by: Dave Chinner <david@fromorbit.com>
+
+ fs/xfs/xfs_icache.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+commit eaec09dbc18fe0ae7905b33b4c819a467a0e801d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:07 2016 +0200
+
+ sched: panic on corrupted stack end
+
+ Until now, hitting this BUG_ON caused a recursive oops (because oops
+ handling involves do_exit(), which calls into the scheduler, which in
+ turn raises an oops), which caused stuff below the stack to be
+ overwritten until a panic happened (e.g. via an oops in interrupt
+ context, caused by the overwritten CPU index in the thread_info).
+
+ Just panic directly.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+commit 96894afd3cbd735ed9230f058a32865dec270da2
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:06 2016 +0200
+
+ ecryptfs: forbid opening files without mmap handler
+
+ This prevents users from triggering a stack overflow through a recursive
+ invocation of pagefault handling that involves mapping procfs files into
+ virtual memory.
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Acked-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+commit 06608cb36ab8329c7cf03fdabc86fb7f64a2656d
+Author: Jann Horn <jannh@google.com>
+Date: Wed Jun 1 11:55:05 2016 +0200
+
+ proc: prevent stacking filesystems on top
+
+ This prevents stacking filesystems (ecryptfs and overlayfs) from using
+ procfs as lower filesystem. There is too much magic going on inside
+ procfs, and there is no good reason to stack stuff on top of procfs.
+
+ (For example, procfs does access checks in VFS open handlers, and
+ ecryptfs by design calls open handlers from a kernel thread that doesn't
+ drop privileges or so.)
+
+ Signed-off-by: Jann Horn <jannh@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+commit 7cff8ffababda8d77e7e3a3f2621b26269279b9a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed May 4 14:04:13 2016 -0400
+
+ ecryptfs: fix handling of directory opening
+
+ First of all, trying to open them r/w is idiocy; it's guaranteed to fail.
+ Moreover, assigning ->f_pos and assuming that everything will work is
+ blatantly broken - try that with e.g. tmpfs as underlying layer and watch
+ the fireworks. There may be a non-trivial amount of state associated with
+ current IO position, well beyond the numeric offset. Using the single
+ struct file associated with underlying inode is really not a good idea;
+ we ought to open one for each ecryptfs directory struct file.
+
+ Additionally, file_operations both for directories and non-directories are
+ full of pointless methods; non-directories should *not* have ->iterate(),
+ directories should not have ->flush(), ->fasync() and ->splice_read().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/file.c | 71 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 55 insertions(+), 16 deletions(-)
+
+commit b690dcd62ad1433e69d391a267ce01534c19d20a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:59:28 2016 -0400
+
+ fix compiler warnings
+
+ fs/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 5d43ec1fb9c94f0c2644e0d09a8257442134a0ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:52:00 2016 -0400
+
+ Avoid some UB
+
+ fs/exec.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit d34347de1cae1f7bd8ea4223d5baca5da8ea4529
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:23:27 2016 -0400
+
+ compile fix
+
+ kernel/smpboot.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 4dfdd6b803d58fec94306a4ff437d500a9c80908
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 20:13:34 2016 -0400
+
+ Add open/close around cpumask modification, reported by shadowdaemon
+ Triggered by writing to /proc/sys/kernel/watchdog_cpumask
+
+ kernel/smpboot.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+commit 1ee24693e22a535dbede927beba7b90cd8559eb4
+Merge: 11150b9 dec4686
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 07:39:26 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit dec468678ead461fc786adfbb2505b6ef66a371a
+Merge: 85a5882 8c596d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 8 07:39:18 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit 11150b92c4cd78ec6a22ad0ff682faf2354b4445
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 14:18:34 2016 -0400
+
+ compile fix
+
+ grsecurity/grsec_tpe.c | 4 ++--
+ include/linux/uidgid.h | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 6e548aad3425733ed443e4a3232205935f0d4939
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 08:19:09 2016 -0400
+
+ Workaround some Debian bike-shedding so that group-writable /bin dirs
+ (with group ownership of root) don't trigger TPE violations
+ Reported by jvoisin
+
+ grsecurity/grsec_tpe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 735ea2028ce017246358d22ec81dc6db73499770
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:23:15 2016 -0400
+
+ move another instance of is_privileged_binary outside of atomic
+
+ grsecurity/gracl_segv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+commit e08a7bcc7b7a1e423b5346bcef85d9a92185f65f
+Merge: d094457 85a5882
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:09:29 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85a588299f41d6a116b8d07d902de986968a84b0
+Merge: 89f00c3 ec2a755
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 5 04:08:42 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit d094457eb90a693f7007b7f4b26c2132137c7ed2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 30 10:15:11 2016 -0400
+
+ move privilege/xattr check outside of locks to prevent warning, reported by shadowdaemon
+
+ grsecurity/grsec_sig.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+commit 2fad2bb3392409d98498b3af53cf39f2475e4b70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 10:11:27 2016 -0400
+
+ Fix another harmless warning
+
+ fs/proc/proc_sysctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit d62f996e40c87e46b20f45e16819f92d49f3e926
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 09:56:32 2016 -0400
+
+ Fix more harmless compiler warnings
+
+ grsecurity/gracl_policy.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+commit 558b784a2b87e337d12bae07d60f435c2f06d849
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 09:47:50 2016 -0400
+
+ Fix more harmless warnings
+
+ grsecurity/gracl.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+commit 32ec63339ab130758e6941d7f1d8993e41956980
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 09:41:23 2016 -0400
+
+ Fix another warning
+
+ include/linux/sched.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 789369de0dbde1fedd2d5cb0ee3474e160af187c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 09:22:05 2016 -0400
+
+ Fix some harmless compiler warnings
+
+ grsecurity/grsum.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit ed18543a205c206d0aa8ee6b04c606579823b7b3
+Merge: b0b4143 89f00c3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 08:34:18 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89f00c3b596a62ae5bcfe4920e9d05b9a94be7fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 29 08:26:37 2016 -0400
+
+ Update to pax-linux-4.5.5-test11.patch:
+ - fixed arm kuser helper emulation for thumb mode userland, reported by Wizzup(https://forums.grsecurity.net/viewtopic.php?f=3&t=4479)
+ - fixed incorrect function pointer casts in bcache caught by RAP, reported by torsten (https://forums.grsecurity.net/viewtopic.php?f=3&t=4482)
+ - worked around a few intentional integer underflows in the xhci driver caught by the size overflow plugin, reported by Dennis Wassenberg <dennis.wassenberg@secunet.com>
+ - moved gcc plugins from tools/gcc to scripts/gcc-plugins and simplified the plugin build system, by Emese
+ - changed the constify and latent entropy plugins to use a consistent command line switch for compile-time disabling
+ - cleaned up a few unusued macros, whitespace, inline asm constraints, etc
+ - hid the lvalue casts needed for constify behind the const_cast macro, by Mathias Krause <minipli@ld-linux.so>
+
+ Makefile | 50 +-
+ arch/Kconfig | 14 +
+ arch/arm/Kconfig | 1 +
+ arch/arm/boot/compressed/Makefile | 2 +
+ arch/arm/mach-exynos/suspend.c | 4 +-
+ arch/arm/mach-omap2/powerdomains43xx_data.c | 2 +-
+ arch/arm/mach-shmobile/platsmp-apmu.c | 2 +-
+ arch/arm/mm/fault.c | 14 +
+ arch/arm64/Kconfig | 1 +
+ arch/mips/Kconfig | 1 +
+ arch/powerpc/Kconfig | 1 +
+ arch/powerpc/include/asm/atomic.h | 7 +-
+ arch/powerpc/kernel/Makefile | 8 +-
+ arch/sparc/Kconfig | 1 +
+ arch/um/Makefile | 4 +-
+ arch/x86/Kconfig | 1 +
+ arch/x86/boot/Makefile | 3 -
+ arch/x86/boot/compressed/Makefile | 3 -
+ arch/x86/entry/common.c | 2 +-
+ arch/x86/include/asm/thread_info.h | 27 -
+ arch/x86/kernel/cpu/perf_event_intel_cqm.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_pt.c | 10 +-
+ arch/x86/kernel/i8259.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/oprofile/nmi_int.c | 2 +-
+ arch/x86/oprofile/op_model_amd.c | 6 +-
+ arch/x86/oprofile/op_model_ppro.c | 4 +-
+ arch/x86/pci/vmd.c | 2 +-
+ arch/x86/realmode/rm/Makefile | 3 -
+ drivers/acpi/bgrt.c | 4 +-
+ drivers/ata/libata-core.c | 2 +-
+ drivers/ata/pata_arasan_cf.c | 2 +-
+ drivers/base/platform-msi.c | 14 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/bus/arm-cci.c | 6 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/clk/socfpga/clk-gate.c | 4 +-
+ drivers/clk/socfpga/clk-pll.c | 4 +-
+ drivers/clk/ti/clk.c | 4 +-
+ drivers/cpufreq/acpi-cpufreq.c | 8 +-
+ drivers/cpufreq/cpufreq-dt.c | 2 +-
+ drivers/cpufreq/cpufreq.c | 8 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 4 +-
+ drivers/cpufreq/p4-clockmod.c | 6 +-
+ drivers/cpufreq/speedstep-centrino.c | 2 +-
+ drivers/firmware/dmi_scan.c | 8 +-
+ drivers/firmware/efi/efi.c | 10 +-
+ drivers/firmware/google/memconsole.c | 2 +-
+ drivers/gpio/gpiolib.c | 8 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 86 +-
+ drivers/gpu/drm/i915/intel_display.c | 6 +-
+ drivers/gpu/drm/mga/mga_drv.c | 2 +-
+ drivers/gpu/drm/omapdrm/dss/display.c | 6 +-
+ drivers/gpu/drm/qxl/qxl_drv.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 2 +-
+ drivers/gpu/drm/tegra/dc.c | 2 +-
+ drivers/gpu/drm/tegra/sor.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 2 +-
+ drivers/idle/intel_idle.c | 4 +-
+ drivers/infiniband/hw/qib/qib.h | 1 -
+ drivers/iommu/arm-smmu.c | 4 +-
+ drivers/isdn/hardware/eicon/mntfunc.c | 2 +-
+ drivers/md/bcache/btree.c | 11 +-
+ drivers/md/bcache/closure.c | 4 +-
+ drivers/md/bcache/closure.h | 8 +-
+ drivers/md/bcache/journal.c | 16 +-
+ drivers/md/bcache/movinggc.c | 12 +-
+ drivers/md/bcache/request.c | 54 +-
+ drivers/md/bcache/request.h | 2 +-
+ drivers/md/bcache/super.c | 30 +-
+ drivers/md/bcache/writeback.c | 12 +-
+ drivers/media/platform/am437x/am437x-vpfe.c | 2 +-
+ drivers/mfd/twl4030-irq.c | 4 +-
+ drivers/misc/c2port/core.c | 2 +-
+ drivers/misc/mic/scif/scif_api.c | 8 +-
+ drivers/mmc/host/mmci.c | 2 +-
+ drivers/mmc/host/omap_hsmmc.c | 2 +-
+ drivers/mmc/host/sdhci-esdhc-imx.c | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 6 +-
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 6 +-
+ drivers/net/macvlan.c | 14 +-
+ drivers/net/wireless/ath/ath9k/main.c | 20 +-
+ drivers/net/wireless/intel/iwlegacy/3945-mac.c | 2 +-
+ drivers/net/wireless/mac80211_hwsim.c | 22 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 8 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 4 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 4 +-
+ drivers/of/fdt.c | 2 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 2 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 6 +-
+ drivers/pci/hotplug/pci_hotplug_core.c | 4 +-
+ drivers/pci/msi.c | 12 +-
+ drivers/pinctrl/pinctrl-at91.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 12 +-
+ drivers/power/reset/at91-reset.c | 2 +-
+ drivers/powercap/powercap_sys.c | 6 +-
+ drivers/regulator/max8660.c | 4 +-
+ drivers/regulator/max8973-regulator.c | 12 +-
+ drivers/regulator/mc13892-regulator.c | 4 +-
+ drivers/rtc/rtc-armada38x.c | 4 +-
+ drivers/rtc/rtc-cmos.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 2 +-
+ drivers/rtc/rtc-rx8010.c | 6 +-
+ drivers/rtc/rtc-test.c | 4 +-
+ drivers/scsi/aacraid/aachba.c | 4 +-
+ drivers/scsi/lpfc/lpfc_init.c | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 4 +-
+ drivers/staging/sm750fb/sm750.c | 8 +-
+ drivers/thermal/cpu_cooling.c | 6 +-
+ drivers/thermal/int340x_thermal/int3400_thermal.c | 4 +-
+ drivers/thermal/of-thermal.c | 12 +-
+ drivers/tty/pty.c | 2 +-
+ drivers/tty/serial/8250/8250_core.c | 6 +-
+ drivers/tty/serial/kgdb_nmi.c | 2 +-
+ drivers/usb/host/xhci-ring.c | 52 +-
+ drivers/video/fbdev/aty/atyfb_base.c | 4 +-
+ drivers/video/fbdev/aty/mach64_cursor.c | 2 +-
+ drivers/video/fbdev/core/fb_defio.c | 6 +-
+ drivers/video/fbdev/mb862xx/mb862xxfb_accel.c | 12 +-
+ drivers/video/fbdev/nvidia/nvidia.c | 18 +-
+ drivers/video/fbdev/omap2/omapfb/dss/display.c | 6 +-
+ drivers/video/fbdev/s1d13xxxfb.c | 4 +-
+ drivers/video/fbdev/smscufx.c | 2 +-
+ drivers/video/fbdev/udlfb.c | 2 +-
+ drivers/video/fbdev/uvesafb.c | 4 +-
+ drivers/video/fbdev/vesafb.c | 2 +-
+ fs/fuse/cuse.c | 6 +-
+ fs/jffs2/file.c | 2 +-
+ fs/nls/nls_base.c | 4 +-
+ fs/nls/nls_euc-jp.c | 4 +-
+ fs/nls/nls_koi8-ru.c | 4 +-
+ fs/proc/proc_sysctl.c | 4 +-
+ fs/tracefs/inode.c | 4 +-
+ include/linux/compiler-gcc.h | 1 +
+ include/linux/compiler.h | 4 +
+ include/linux/seq_buf.h | 2 +-
+ include/linux/sysfs.h | 2 +-
+ kernel/cgroup.c | 14 +-
+ kernel/irq/msi.c | 12 +-
+ kernel/notifier.c | 4 +-
+ kernel/pid.c | 2 +-
+ kernel/trace/trace_output.c | 8 +-
+ net/core/rtnetlink.c | 2 +-
+ net/xfrm/xfrm_state.c | 2 +-
+ scripts/Makefile | 1 +
+ scripts/Makefile.gcc-plugins | 138 +-
+ scripts/Makefile.host | 6 +-
+ scripts/gcc-plugin.sh | 4 +-
+ scripts/gcc-plugins/Makefile | 45 +
+ scripts/gcc-plugins/checker_plugin.c | 496 +
+ scripts/gcc-plugins/colorize_plugin.c | 162 +
+ scripts/gcc-plugins/constify_plugin.c | 521 +
+ scripts/gcc-plugins/gcc-common.h | 879 +
+ scripts/gcc-plugins/gcc-generate-gimple-pass.h | 175 +
+ scripts/gcc-plugins/gcc-generate-ipa-pass.h | 289 +
+ scripts/gcc-plugins/gcc-generate-rtl-pass.h | 175 +
+ scripts/gcc-plugins/gcc-generate-simple_ipa-pass.h | 175 +
+ scripts/gcc-plugins/initify_plugin.c | 536 +
+ scripts/gcc-plugins/kallocstat_plugin.c | 135 +
+ scripts/gcc-plugins/kernexec_plugin.c | 407 +
+ scripts/gcc-plugins/latent_entropy_plugin.c | 438 +
+ scripts/gcc-plugins/rap_plugin/Makefile | 4 +
+ scripts/gcc-plugins/rap_plugin/rap.h | 36 +
+ scripts/gcc-plugins/rap_plugin/rap_fptr_pass.c | 220 +
+ scripts/gcc-plugins/rap_plugin/rap_hash.c | 382 +
+ scripts/gcc-plugins/rap_plugin/rap_plugin.c | 511 +
+ scripts/gcc-plugins/rap_plugin/sip.c | 96 +
+ .../gcc-plugins/size_overflow_plugin/.gitignore | 3 +
+ scripts/gcc-plugins/size_overflow_plugin/Makefile | 28 +
+ .../disable_size_overflow_hash.data | 12444 +++++++++++
+ .../generate_size_overflow_hash.sh | 103 +
+ .../insert_size_overflow_asm.c | 369 +
+ .../size_overflow_plugin/intentional_overflow.c | 1166 +
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
+ .../size_overflow_plugin/size_overflow.h | 331 +
+ .../size_overflow_plugin/size_overflow_debug.c | 194 +
+ .../size_overflow_plugin/size_overflow_hash.data | 21504 +++++++++++++++++++
+ .../size_overflow_hash_aux.data | 92 +
+ .../size_overflow_plugin/size_overflow_ipa.c | 1163 +
+ .../size_overflow_plugin/size_overflow_misc.c | 505 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 290 +
+ .../size_overflow_plugin_hash.c | 352 +
+ .../size_overflow_plugin/size_overflow_transform.c | 743 +
+ .../size_overflow_transform_core.c | 1025 +
+ scripts/gcc-plugins/stackleak_plugin.c | 350 +
+ scripts/gcc-plugins/structleak_plugin.c | 239 +
+ scripts/package/builddeb | 2 +-
+ security/Kconfig | 8 +-
+ sound/soc/codecs/sti-sas.c | 8 +-
+ sound/soc/soc-ac97.c | 4 +-
+ tools/gcc/Makefile | 46 -
+ tools/gcc/checker_plugin.c | 496 -
+ tools/gcc/colorize_plugin.c | 162 -
+ tools/gcc/constify_plugin.c | 521 -
+ tools/gcc/gcc-common.h | 879 -
+ tools/gcc/gcc-generate-gimple-pass.h | 175 -
+ tools/gcc/gcc-generate-ipa-pass.h | 289 -
+ tools/gcc/gcc-generate-rtl-pass.h | 175 -
+ tools/gcc/gcc-generate-simple_ipa-pass.h | 175 -
+ tools/gcc/initify_plugin.c | 536 -
+ tools/gcc/kallocstat_plugin.c | 135 -
+ tools/gcc/kernexec_plugin.c | 407 -
+ tools/gcc/latent_entropy_plugin.c | 422 -
+ tools/gcc/rap_plugin/Makefile | 4 -
+ tools/gcc/rap_plugin/rap.h | 36 -
+ tools/gcc/rap_plugin/rap_fptr_pass.c | 220 -
+ tools/gcc/rap_plugin/rap_hash.c | 382 -
+ tools/gcc/rap_plugin/rap_plugin.c | 511 -
+ tools/gcc/rap_plugin/sip.c | 96 -
+ tools/gcc/size_overflow_plugin/.gitignore | 3 -
+ tools/gcc/size_overflow_plugin/Makefile | 28 -
+ .../disable_size_overflow_hash.data | 12444 -----------
+ .../generate_size_overflow_hash.sh | 103 -
+ .../insert_size_overflow_asm.c | 369 -
+ .../size_overflow_plugin/intentional_overflow.c | 1166 -
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 137 -
+ tools/gcc/size_overflow_plugin/size_overflow.h | 331 -
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 -
+ .../size_overflow_plugin/size_overflow_hash.data | 21504 -------------------
+ .../size_overflow_hash_aux.data | 92 -
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1163 -
+ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 -
+ .../size_overflow_plugin/size_overflow_plugin.c | 290 -
+ .../size_overflow_plugin_hash.c | 352 -
+ .../size_overflow_plugin/size_overflow_transform.c | 743 -
+ .../size_overflow_transform_core.c | 1025 -
+ tools/gcc/stackleak_plugin.c | 350 -
+ tools/gcc/structleak_plugin.c | 239 -
+ 237 files changed, 47340 insertions(+), 47276 deletions(-)
+
+commit b0b41430a8c9e6e5067c896c07d361e527e298e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 21 13:59:19 2016 -0400
+
+ Fix gcc assert properly, from Emese Revfy
+
+ tools/gcc/size_overflow_plugin/intentional_overflow.c | 2 +-
+ tools/gcc/size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5e7a47f06420603b0f26f1b45fe2ab02838795c9
+Merge: f844209 5929595
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 20 20:19:27 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5929595ec558e9282901842bdf9e4a981751fb08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 20 20:18:58 2016 -0400
+
+ Update to pax-linux-4.5.5-test9.patch:
+ - fixed a few more incorrect fptr casts for RAP
+
+ arch/x86/math-emu/fpu_etc.c | 9 +++++++--
+ arch/x86/math-emu/fpu_trig.c | 13 +++++++++----
+ arch/x86/math-emu/reg_constant.c | 7 ++++++-
+ drivers/isdn/hisax/hfc_2bds0.c | 4 ++--
+ drivers/isdn/hisax/hfcscard.c | 6 ++++--
+ drivers/isdn/hisax/saphir.c | 5 +++--
+ drivers/isdn/hisax/teleint.c | 5 +++--
+ drivers/media/pci/sta2x11/sta2x11_vip.c | 5 +++--
+ drivers/net/hamradio/baycom_epp.c | 2 +-
+ 9 files changed, 38 insertions(+), 18 deletions(-)
+
+commit f84420916698cdf33a81f046206d050e2c3e6966
+Merge: fa18ce2 445754e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 20 18:52:20 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 445754e5717176c2b3431a0cde1e90df51cc43e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 20 18:51:52 2016 -0400
+
+ Update to pax-linux-4.5.4-test8.patch:
+ - fixed a USERCOPY report in the mwifiex driver, by Dennis Wassenberg <dennis.wassenberg@secunet.com> and Mathias Krause <minipli@ld-linux.so>
+
+ drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 2 +-
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 4 ++--
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 10 ++++------
+ 3 files changed, 7 insertions(+), 9 deletions(-)
+
+commit fa18ce2d37a92442162fb72b8f85ee86120ffacb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 19 18:30:08 2016 -0400
+
+ Update size_overflow hash, from Dr. Toth
+
+ tools/gcc/size_overflow_plugin/size_overflow_hash.data | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 61c487965dbc34618fe292663759d6fa0515bcad
+Merge: fbc84d2 a734dbd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 19 06:26:52 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a734dbda8b785c38baa1858df2bffc89b45d070a
+Merge: 238dfca 3b41b7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 19 06:24:25 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit fbc84d202d311b4dc09bcc922678df60b6e76614
+Merge: 84fa82c 238dfca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 13 18:00:06 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 238dfca3ffe87f4410e67c8ceb554b9ce4f3132b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 13 17:59:42 2016 -0400
+
+ Compile fix for older gcc
+
+ tools/gcc/size_overflow_plugin/intentional_overflow.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 84fa82c59fa5051e1485a3dcc857b87b70dbc18d
+Merge: 2cece8e 4654023
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 13 17:31:49 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4654023e72b0834142594eee879e657664498443
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 13 17:29:38 2016 -0400
+
+ Update to pax-linux-4.5.4-test7.patch:
+ - changed the RAP hash emission code to accomodate x86 disassemblers, suggested by Mathias Krause <minipli@ld-linux.so>
+ - fixed a few size overflow false positives in JFS due to the lack of endian conversion macros for signed types, reported by ryonaloli via hunger
+ - fixed a compiler assert triggered by the size overflow plugin
+
+ tools/gcc/rap_plugin/rap_plugin.c | 39 ++++++++++++++++++----
+ .../disable_size_overflow_hash.data | 3 ++
+ .../size_overflow_plugin/intentional_overflow.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 3 --
+ 4 files changed, 36 insertions(+), 11 deletions(-)
+
+commit 2cece8e8e0e2fce9943345c0ebebd7436929868e
+Merge: 6df0471 ea68d2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 12 18:41:15 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ea68d2e7123a83aba24db99d5ef487b1397fd6d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 12 18:40:50 2016 -0400
+
+ Update to pax-linux-4.5.3-test6.patch:
+ - really fixed https://forums.grsecurity.net/viewtopic.php?f=3&t=4473
+ - the nfsd_proc_read fix for RAP had a typo causing an oops, reported by Carlos Carvalho (https://forums.grsecurity.net/viewtopic.php?f=3&t=4471)
+ - fixed a few format string warnings in the RAP hash emission code, reported by Dwokfur
+
+ drivers/net/ppp/pptp.c | 1 -
+ fs/nfsd/nfsproc.c | 2 +-
+ tools/gcc/rap_plugin/rap_fptr_pass.c | 2 +-
+ tools/gcc/rap_plugin/rap_plugin.c | 14 ++++++++++----
+ 4 files changed, 12 insertions(+), 7 deletions(-)
+
+commit 6df04719a7cf4d3f60c9e6190f8eb4b986ce2b1b
+Author: David Howells <dhowells@redhat.com>
+Date: Tue Feb 23 11:03:12 2016 +0000
+
+ KEYS: Fix ASN.1 indefinite length object parsing
+
+ This fixes CVE-2016-0758.
+
+ In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+ it isn't validated against the remaining amount of data before being added
+ to the cursor. With a sufficiently large size indicated, the check:
+
+ datalen - dp < 2
+
+ may then fail due to integer overflow.
+
+ Fix this by checking the length indicated against the amount of remaining
+ data in both places a definite length is determined.
+
+ Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+ of the variable it's being stored in (len) rather than the type that
+ variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+ integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+ for (len = 0; n > 0; n--) {
+
+ since it doesn't have anything to do with the loop counter n.
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+ Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+ Acked-by: Peter Jones <pjones@redhat.com>
+
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+commit acb6cef8047476b8afc3ff3f07286b9e36de1b77
+Merge: 735f14a a7c9bec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 11 17:05:21 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a7c9bec57dea73ceee1246a64df55038ea840be9
+Merge: f5bd134 a29ab35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 11 17:04:48 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit 735f14a2b5562cd1329b263a81781d59dacffd3e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 11 06:57:40 2016 -0400
+
+ Fix typo in nfsd RAP changes causing oops reported by Carlos Carvalho
+ at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4471
+
+ fs/nfsd/nfsproc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 35e1e615072d0bb885b38ee1b2ada7a0a6a91f9d
+Merge: 9e3e5ae3e f5bd134
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 10 20:56:54 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f5bd1342fa631bb3b69a2e8919785c827c4edf74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 10 20:55:57 2016 -0400
+
+ Update to pax-linux-4.5.3-test5.patch:
+ - marked all indirectly callable x86 asm crypto functions, reported by Dwokfur and minipli (https://forums.grsecurity.net/viewtopic.php?f=3&t=4468)
+ - worked around an intentional integer overflow introduced by gcc-6 that triggered a size overflow false positive, reported by hooruD, chron and Fen (https://forums.grsecurity.net/viewtopic.php?f=3&t=4469)
+ - made some preparations for enabling RAP on i386 as well, will have to wait due to KERNEXEC
+
+ arch/x86/crypto/aesni-intel_asm.S | 6 +++---
+ arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S | 4 ++--
+ arch/x86/crypto/sha-mb/sha1_mb_mgr_submit_avx2.S | 2 +-
+ arch/x86/crypto/sha256_ni_asm.S | 2 +-
+ arch/x86/crypto/twofish-i586-asm_32.S | 2 +-
+ arch/x86/entry/common.c | 1 -
+ include/linux/linkage.h | 22 +++++++++++++++-------
+ tools/gcc/rap_plugin/rap_fptr_pass.c | 2 +-
+ tools/gcc/rap_plugin/rap_hash.c | 1 +
+ tools/gcc/rap_plugin/rap_plugin.c | 18 +++++++++---------
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ 12 files changed, 35 insertions(+), 27 deletions(-)
+
+commit 9e3e5ae3e9ed69452d4133490dd1831376b9a1e8
+Merge: e5983fd cfcaa03
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 8 08:04:18 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cfcaa036dd3756fc32e083a7c486c1143d93fd22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 8 08:03:53 2016 -0400
+
+ Update to pax-linux-4.5.3-test4.patch:
+ - fixed a few incorrect function types (mostly start_xmit callbacks) found by RAP, reported by cinder (https://forums.grsecurity.net/viewtopic.php?f=3&t=4466)
+
+ drivers/char/tpm/tpm-chip.c | 7 ++++++-
+ drivers/net/can/bfin_can.c | 2 +-
+ drivers/net/can/flexcan.c | 2 +-
+ drivers/net/ethernet/adi/bfin_mac.c | 2 +-
+ drivers/net/ethernet/allwinner/sun4i-emac.c | 2 +-
+ drivers/net/ethernet/amd/7990.c | 2 +-
+ drivers/net/ethernet/amd/7990.h | 2 +-
+ drivers/net/ethernet/amd/atarilance.c | 4 ++--
+ drivers/net/ethernet/amd/declance.c | 2 +-
+ drivers/net/ethernet/amd/sun3lance.c | 4 ++--
+ drivers/net/ethernet/amd/sunlance.c | 2 +-
+ drivers/net/ethernet/broadcom/bcm63xx_enet.c | 2 +-
+ drivers/net/ethernet/davicom/dm9000.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +-
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +-
+ drivers/net/ethernet/freescale/fec_mpc52xx.c | 2 +-
+ drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c | 2 +-
+ drivers/net/ethernet/freescale/gianfar.c | 4 ++--
+ drivers/net/ethernet/freescale/ucc_geth.c | 2 +-
+ drivers/net/ethernet/i825xx/lib82596.c | 4 ++--
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 2 +-
+ drivers/net/ethernet/ibm/emac/core.c | 4 ++--
+ drivers/net/ethernet/micrel/ks8695net.c | 2 +-
+ drivers/net/ethernet/moxa/moxart_ether.c | 2 +-
+ drivers/net/ethernet/netx-eth.c | 2 +-
+ drivers/net/ethernet/nuvoton/w90p910_ether.c | 2 +-
+ drivers/net/ethernet/nxp/lpc_eth.c | 2 +-
+ drivers/net/ethernet/seeq/sgiseeq.c | 2 +-
+ drivers/net/ethernet/sgi/ioc3-eth.c | 4 ++--
+ drivers/net/ethernet/smsc/smc911x.c | 2 +-
+ drivers/net/ethernet/smsc/smc91x.c | 2 +-
+ drivers/net/ethernet/sun/sunbmac.c | 2 +-
+ drivers/net/ethernet/sun/sunqe.c | 2 +-
+ drivers/net/ethernet/sun/sunvnet.c | 10 +++++-----
+ drivers/net/ethernet/ti/cpmac.c | 2 +-
+ drivers/net/ethernet/ti/netcp_core.c | 2 +-
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +-
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +-
+ drivers/net/xen-netback/interface.c | 2 +-
+ drivers/net/xen-netfront.c | 2 +-
+ 40 files changed, 55 insertions(+), 50 deletions(-)
+
+commit e5983fd19799feb3bf947cd0dc2b5435deee3332
+Merge: 5ecb84f a235ecd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 7 00:00:42 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a235ecd8bdece417e83f9cf89c76607bf15955dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 6 23:59:34 2016 -0400
+
+ Update to pax-linux-4.5.3-test3.patch:
+ - fixed some more of PARAVIRT for RAP, reported by hunger
+ - Emese increased the coverage of initify by marking up str* and mem* functions
+ - added error reporting for refusing to load modules incompatible with KERNEXEC's 'or' method, reported by Martin Väth (https://bugs.gentoo.org/show_bug.cgi?id=581726)
+
+ arch/arm/include/asm/string.h | 10 ++---
+ arch/arm64/include/asm/string.h | 22 +++++------
+ arch/x86/boot/string.h | 4 +-
+ arch/x86/include/asm/string_32.h | 20 +++++-----
+ arch/x86/include/asm/string_64.h | 16 ++++----
+ arch/x86/kernel/paravirt-spinlocks.c | 22 +++++++++--
+ arch/x86/xen/mmu.c | 6 ++-
+ drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 ++---
+ include/linux/string.h | 70 +++++++++++++++++-----------------
+ include/linux/syscalls.h | 2 +-
+ kernel/module.c | 4 +-
+ mm/fadvise.c | 2 +-
+ tools/gcc/randomize_layout_seed.h | 1 -
+ tools/gcc/rap_plugin/rap_plugin.c | 7 +++-
+ 14 files changed, 109 insertions(+), 87 deletions(-)
+
+commit 5ecb84f55a9bdf8b39054c23d90646ba0591ce1c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 6 08:51:58 2016 -0400
+
+ Remove !PARAVIRT dependency on RAP
+
+ security/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit eecd10d7c579d2601c384c1e9e0f062a8dda40e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 6 06:34:48 2016 -0400
+
+ Update copyright year
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 7d7e01439c2601abcae2ecfc66a883be258a2691
+Merge: 3315e83 c2aa83b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 6 06:34:25 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c2aa83bf2d65989c262ff33312874ee7fe38606a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 6 06:34:04 2016 -0400
+
+ Update to pax-linux-4.5.2-test2.patch:
+ - minipli fixed a few missing hunks left out from the 4.5 port
+ - fixed a regression in handling user.pax.flags on tmpfs, reported by blueness and Stebalien (https://forums.grsecurity.net/viewtopic.php?f=3&t=4462)
+ - fixed a few compile regressions on arm, reported by Wizzup
+ - fixed PARAVIRT for RAP, reported by spender
+ - fixed the very old PAGEEXEC/i386 TLB reload code for SMAP (not that it could work there), reported by spender
+ - Emese fixed a false positive size overflow report caused by gcc-5 and newer, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4455)
+
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/domain.h | 2 +-
+ arch/arm/kernel/process.c | 6 +
+ arch/mips/mm/mmap.c | 27 ++++
+ arch/powerpc/kernel/process.c | 39 +++++
+ arch/s390/kernel/process.c | 13 ++
+ arch/x86/entry/entry_32.S | 2 +-
+ arch/x86/include/asm/fixmap.h | 2 +-
+ arch/x86/kernel/paravirt.c | 90 +++++++++--
+ arch/x86/mm/fault.c | 2 +
+ arch/x86/mm/pgtable.c | 2 +-
+ drivers/cpufreq/intel_pstate.c | 2 +-
+ drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 7 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/oprofile/oprofilefs.c | 4 +-
+ drivers/platform/x86/thinkpad_acpi.c | 1 -
+ fs/xattr.c | 2 +-
+ include/asm-generic/atomic-long.h | 4 +
+ include/uapi/linux/xattr.h | 3 +-
+ kernel/module.c | 2 +-
+ mm/shmem.c | 2 -
+ security/Kconfig | 2 +
+ .../insert_size_overflow_asm.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 80 ++++++++--
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 2 +-
+ tools/gcc/size_overflow_plugin/size_overflow.h | 8 +-
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 2 +-
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ .../gcc/size_overflow_plugin/size_overflow_misc.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin_hash.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 34 ++---
+ .../size_overflow_transform_core.c | 170 +++++++++++----------
+ 33 files changed, 370 insertions(+), 156 deletions(-)
+
+commit 3315e83c1e9738784da3c1c5836dd13b7593a8f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 4 21:03:36 2016 -0400
+
+ Add PAGEEXEC support for i386 !PAE on SMAP-capable processors
+ (won't be used by anyone, just for correctness sake)
+
+ arch/x86/mm/fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+commit b9e96108d2092c12e42e1810a62aec85f6ddc501
+Merge: 6d98323 a3273aa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 4 19:06:44 2016 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a3273aa2488f9e201620ee53af1acfd99c58650a
+Merge: e0e4c2c fbc310e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 4 19:06:36 2016 -0400
+
+ Merge branch 'linux-4.5.y' into pax-test
+
+commit 6d98323e0b511bdb77b9ef11d84207219331ac69
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 3 21:58:09 2016 -0400
+
+ Backport fix from http://www.spinics.net/lists/linux-usb/msg140243.html
+
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+commit b003c68f96dd6a483b515290756816b6c909f34f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 1 12:06:48 2016 -0400
+
+ Add note about RANDSTRUCT and the gcc runtime library exception
+
+ tools/gcc/randomize_layout_plugin.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
commit fe375f07d31c5d561fcca4016f7c33e885fa3586
Author: Brad Spengler <spender@grsecurity.net>
Date: Fri Apr 29 06:22:29 2016 -0400