X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=test%2Fchangelog-test.txt;h=40f07c92bdd68b7ff291812e12ddc0768a8685d6;hb=87ff3ca1585b8adf25c560ded4bdda8fc1d20340;hp=27e29fd495c9e750de2441cb6275437bffc69433;hpb=c3f73f4b1305a3255ae572addbe506cc2a85a54a;p=thirdparty%2Fgrsecurity-scrape.git diff --git a/test/changelog-test.txt b/test/changelog-test.txt index 27e29fd..40f07c9 100644 --- a/test/changelog-test.txt +++ b/test/changelog-test.txt @@ -1,1656 +1,1603 @@ -commit 2bf85cb1c3df45d59d8b59aeacf63cbbee360175 -Author: Brad Spengler -Date: Thu Oct 29 08:52:07 2015 -0400 +commit ab86adee64312a2f827dd516cb199521327943ed +Author: Sasha Levin +Date: Mon Jan 18 19:23:51 2016 -0500 - Temporarily disable the builtin_overflow again as the kernexec plugin also has problems with it + netfilter: nf_conntrack: use safer way to lock all buckets + + When we need to lock all buckets in the connection hashtable we'd attempt to + lock 1024 spinlocks, which is way more preemption levels than supported by + the kernel. Furthermore, this behavior was hidden by checking if lockdep is + enabled, and if it was - use only 8 buckets(!). + + Fix this by using a global lock and synchronize all buckets on it when we + need to lock them all. This is pretty heavyweight, but is only done when we + need to resize the hashtable, and that doesn't happen often enough (or at all). + + Signed-off-by: Sasha Levin + Acked-by: Jesper Dangaard Brouer + Reviewed-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Conflicts: + + net/netfilter/nfnetlink_cttimeout.c + + include/net/netfilter/nf_conntrack_core.h | 8 ++---- + net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++------- + net/netfilter/nf_conntrack_helper.c | 2 +- + net/netfilter/nf_conntrack_netlink.c | 2 +- + 4 files changed, 33 insertions(+), 17 deletions(-) + +commit 37014723527225481c720484bb788a1a6358072f +Author: Willy Tarreau +Date: Mon Jan 18 16:36:09 2016 +0100 + + pipe: limit the per-user amount of pages allocated in pipes + + On no-so-small systems, it is possible for a single process to cause an + OOM condition by filling large pipes with data that are never read. A + typical process filling 4000 pipes with 1 MB of data will use 4 GB of + memory. On small systems it may be tricky to set the pipe max size to + prevent this from happening. + + This patch makes it possible to enforce a per-user soft limit above + which new pipes will be limited to a single page, effectively limiting + them to 4 kB each, as well as a hard limit above which no new pipes may + be created for this user. This has the effect of protecting the system + against memory abuse without hurting other users, and still allowing + pipes to work correctly though with less data at once. + + The limit are controlled by two new sysctls : pipe-user-pages-soft, and + pipe-user-pages-hard. Both may be disabled by setting them to zero. The + default soft limit allows the default number of FDs per process (1024) + to create pipes of the default size (64kB), thus reaching a limit of 64MB + before starting to create only smaller pipes. With 256 processes limited + to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB = + 1084 MB of memory allocated for a user. The hard limit is disabled by + default to avoid breaking existing applications that make intensive use + of pipes (eg: for splicing). + + Reported-by: socketpair@gmail.com + Reported-by: Tetsuo Handa + Mitigates: CVE-2013-4312 (Linux 2.0+) + Suggested-by: Linus Torvalds + Signed-off-by: Willy Tarreau + Signed-off-by: Al Viro - include/linux/compiler-gcc.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++ + fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++- + include/linux/pipe_fs_i.h | 4 +++ + include/linux/sched.h | 1 + + kernel/sysctl.c | 14 ++++++++++++ + 5 files changed, 87 insertions(+), 2 deletions(-) -commit a41c8c4d880b6005e874bf5440e24713da8483cd +commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8 +Merge: 540f2af 7791ecb Author: Brad Spengler -Date: Wed Oct 28 19:28:30 2015 -0400 - - temporarily work around issue with the dynamic FPU state and lazy FPU mode - upstream configures FPU mode based on the eagerfpu variable before it's ever actually - set by the commandline parser (so eagerfpu= on the commandline has no effect) +Date: Sat Jan 23 10:57:11 2016 -0500 - arch/x86/kernel/fpu/init.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) + Merge branch 'pax-test' into grsec-test -commit 8452f9d5cfabda9228496050a16bc8728c0ebbb7 +commit 7791ecb84f840343a5646236fd0d34e1fb450793 +Merge: 470069c 399588c Author: Brad Spengler -Date: Wed Oct 28 19:25:55 2015 -0400 - - Remove/reorder some code due to the reverting of the FPU-state-in-task_struct code +Date: Sat Jan 23 10:56:47 2016 -0500 - arch/x86/include/asm/fpu/types.h | 69 ++++++++++++++++++-------------------- - arch/x86/include/asm/processor.h | 10 ++---- - arch/x86/kernel/fpu/init.c | 20 ----------- - include/linux/sched.h | 4 +- - 4 files changed, 38 insertions(+), 65 deletions(-) + Merge branch 'linux-4.3.y' into pax-test -commit c2127bd4215f8f02a1391bef3bde55d0bb1c19bc +commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33 Author: Brad Spengler -Date: Tue Oct 27 23:38:11 2015 -0400 +Date: Tue Jan 19 21:18:47 2016 -0500 - fix typo + Update size_overflow hash table - tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + .../size_overflow_plugin/size_overflow_hash.data | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) -commit c588def7b5713c31fef2b848bfebf0d727791b82 +commit 7e649765626a28437f573f0fbe7a51a04615f041 Author: Brad Spengler -Date: Tue Oct 27 21:09:04 2015 -0400 +Date: Tue Jan 19 20:29:46 2016 -0500 - remove the PAGE_SIZE padding from fpregs_state since it's not included as part - of the task struct + Backport fix from: https://lkml.org/lkml/2015/12/13/187 - arch/x86/include/asm/fpu/types.h | 1 - - 1 files changed, 0 insertions(+), 1 deletions(-) + fs/ext4/extents.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit 3bd1e5915353fee1f347577f0e80d925910695f9 -Author: Herbert Xu -Date: Mon Oct 19 18:23:57 2015 +0800 +commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005 +Author: Jann Horn +Date: Tue Jan 5 18:27:30 2016 +0100 - crypto: api - Only abort operations on fatal signal + compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS) - Currently a number of Crypto API operations may fail when a signal - occurs. This causes nasty problems as the caller of those operations - are often not in a good position to restart the operation. + This replaces all code in fs/compat_ioctl.c that translated + ioctl arguments into a in-kernel structure, then performed + do_ioctl under set_fs(KERNEL_DS), with code that allocates + data on the user stack and can call the VFS ioctl handler + under USER_DS. - In fact there is currently no need for those operations to be - interrupted by user signals at all. All we need is for them to - be killable. + This is done as a hardening measure because the caller + does not know what kind of ioctl handler will be invoked, + only that no corresponding compat_ioctl handler exists and + what the ioctl command number is. The accidental + invocation of an unlocked_ioctl handler that unexpectedly + calls copy_to_user could be a severe security issue. - This patch replaces the relevant calls of signal_pending with - fatal_signal_pending, and wait_for_completion_interruptible with - wait_for_completion_killable, respectively. + Signed-off-by: Jann Horn + Signed-off-by: Al Viro - Cc: stable@vger.kernel.org - Signed-off-by: Herbert Xu - - crypto/ablkcipher.c | 2 +- - crypto/algapi.c | 2 +- - crypto/api.c | 6 +++--- - crypto/crypto_user.c | 2 +- - 4 files changed, 6 insertions(+), 6 deletions(-) - -commit 2b278f02de77bd3d0ffb4c64bc56b702d4e27e49 -Author: Brad Spengler -Date: Tue Oct 27 18:02:42 2015 -0400 - - Update a comment - - arch/x86/include/asm/fpu/internal.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + Conflicts: + + fs/compat_ioctl.c -commit 66cbab70d87485c22946485bfd375c3e88140213 -Merge: cad84c5 8610c94 -Author: Brad Spengler -Date: Tue Oct 27 07:44:23 2015 -0400 + fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++------------------------- + 1 files changed, 68 insertions(+), 62 deletions(-) - Merge branch 'pax-test' into grsec-test +commit 3e89e770ae27e931cd1583f021abac41eeebc3e7 +Author: Al Viro +Date: Thu Jan 7 09:53:30 2016 -0500 -commit 8610c949a76ac2a09b334f41c35cb8e7a04a0ce8 -Merge: a851b41 f69d603 -Author: Brad Spengler -Date: Tue Oct 27 07:44:14 2015 -0400 + compat_ioctl: don't pass fd around when not needed + + Signed-off-by: Al Viro - Merge branch 'linux-4.2.y' into pax-test + fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++-------------------------- + fs/internal.h | 7 ++++ + fs/ioctl.c | 4 +- + include/linux/fs.h | 2 - + 4 files changed, 61 insertions(+), 55 deletions(-) -commit cad84c52f547c8ba47ddcf39d1f260f55350f0c2 -Author: Brad Spengler -Date: Mon Oct 26 07:33:21 2015 -0400 +commit 9d4e04082752d4d2d68445c4e6faf33a2613df55 +Author: Jann Horn +Date: Tue Jan 5 18:27:29 2016 +0100 - re-enable builtin_overflow support + compat_ioctl: don't look up the fd twice + + In code in fs/compat_ioctl.c that translates ioctl arguments + into a in-kernel structure, then performs sys_ioctl, possibly + under set_fs(KERNEL_DS), this commit changes the sys_ioctl + calls to do_ioctl calls. do_ioctl is a new function that does + the same thing as sys_ioctl, but doesn't look up the fd again. + + This change is made to avoid (potential) security issues + because of ioctl handlers that accept one of the ioctl + commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET, + TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ. + This can happen for multiple reasons: + + - The ioctl command number could be reused. + - The ioctl handler might not check the full ioctl + command. This is e.g. true for drm_ioctl. + - The ioctl handler is very special, e.g. cuse_file_ioctl + + The real issue is that set_fs(KERNEL_DS) is used here, + but that's fixed in a separate commit + "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)". + + This change mitigates potential security issues by + preventing a race that permits invocation of + unlocked_ioctl handlers under KERNEL_DS through compat + code even if a corresponding compat_ioctl handler exists. + + So far, no way has been identified to use this to damage + kernel memory without having CAP_SYS_ADMIN in the init ns + (with the capability, doing reads/writes at arbitrary + kernel addresses should be easy through CUSE's ioctl + handler with FUSE_IOCTL_UNRESTRICTED set). + + [AV: two missed sys_ioctl() taken care of] + + Signed-off-by: Jann Horn + Signed-off-by: Al Viro - include/linux/compiler-gcc.h | 3 +-- - 1 files changed, 1 insertions(+), 2 deletions(-) + fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++----------------------- + 1 files changed, 68 insertions(+), 54 deletions(-) -commit 6e281aebbf456c27ce530055d5668bc5829c02a8 -Author: Brad Spengler -Date: Mon Oct 26 07:32:15 2015 -0400 +commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c +Author: Vasily Kulikov +Date: Fri Jan 15 16:57:55 2016 -0800 - Update the size_overflow plugin from Emese to fix the ICE on builtin_overflow use + include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers + + TIMER_ENTRY_STATIC is defined as a poison pointers which + should point to nowhere. Redefine them using POISON_POINTER_DELTA + arithmetics to make sure they really point to non-mappable area declared + by the target architecture. + + Signed-off-by: Vasily Kulikov + Acked-by: Thomas Gleixner + Cc: Solar Designer + Cc: "Kirill A. Shutemov" + Signed-off-by: Andrew Morton + Signed-off-by: Linus Torvalds + + Conflicts: + + include/linux/poison.h - tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 ++- - .../size_overflow_plugin/size_overflow_plugin.c | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) + include/linux/poison.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit 75ed97df02fc6eb862df511da6ca690de3d0f15c +commit 60f2e0a05ab8f56c804a9334a23e2b446305d110 Author: Brad Spengler -Date: Mon Oct 26 07:17:00 2015 -0400 +Date: Tue Jan 19 19:41:44 2016 -0500 - Fix from Emese for a size_overflow report in the fbcon code on the - 'softback_lines' global variable + Fix ARM compilation, reported by Austin Sepp - drivers/video/console/fbcon.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + grsecurity/grsec_sig.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) -commit b088cabd42c6fe825baa27f40ab450ad75e571d3 -Author: Brad Spengler -Date: Sun Oct 25 18:09:55 2015 -0400 +commit e15383743443dc43460a2fd73e0db0b608610dca +Author: Takashi Iwai +Date: Mon Jan 18 13:52:47 2016 +0100 - Temporarily work around an ICE on GCC >= 5 reported by Daniel Micay due to - backporting of __builtin_usub_overflow + ALSA: hrtimer: Fix stall by hrtimer_cancel() + + hrtimer_cancel() waits for the completion from the callback, thus it + must not be called inside the callback itself. This was already a + problem in the past with ALSA hrtimer driver, and the early commit + [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it. + + However, the previous fix is still insufficient: it may still cause a + lockup when the ALSA timer instance reprograms itself in its callback. + Then it invokes the start function even in snd_timer_interrupt() that + is called in hrtimer callback itself, results in a CPU stall. This is + no hypothetical problem but actually triggered by syzkaller fuzzer. + + This patch tries to fix the issue again. Now we call + hrtimer_try_to_cancel() at both start and stop functions so that it + won't fall into a deadlock, yet giving some chance to cancel the queue + if the functions have been called outside the callback. The proper + hrtimer_cancel() is called in anyway at closing, so this should be + enough. + + Reported-and-tested-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai - include/linux/compiler-gcc.h | 3 ++- + sound/core/hrtimer.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) -commit ba858f46865c6751af3ddba03b176e4d5ecf85c1 -Author: Brad Spengler -Date: Sun Oct 25 17:59:17 2015 -0400 +commit 12d874daf706e6e7c1ae709141859c809599297e +Author: Takashi Iwai +Date: Tue Jan 12 12:38:02 2016 +0100 - Update size_overflow hash table + ALSA: seq: Fix missing NULL check at remove_events ioctl + + snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() + unconditionally even if there is no FIFO assigned, and this leads to + an Oops due to NULL dereference. The fix is just to add a proper NULL + check. + + Reported-by: Dmitry Vyukov + Tested-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai - .../disable_size_overflow_hash.data | 7 +++++++ - .../size_overflow_plugin/size_overflow_hash.data | 9 +-------- - 2 files changed, 8 insertions(+), 8 deletions(-) + sound/core/seq/seq_clientmgr.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit ba803bceaea0283b38e91c1d3176bf0671786269 -Author: Brad Spengler -Date: Sun Oct 25 15:31:17 2015 -0400 +commit 2eb0632df1351378946507e7ef7ba0682632a7b5 +Author: Takashi Iwai +Date: Tue Jan 12 15:36:27 2016 +0100 - Fix oversight in pipacs' removal of FPU state from the task struct: - fpu_copy was performing an OOB copy starting from the address of the 'state' - pointer in the fpu struct instead of starting from the address pointed - to by the state pointer. Reported at: - https://bugs.archlinux.org/task/46764 + ALSA: seq: Fix race at timer setup and close + + ALSA sequencer code has an open race between the timer setup ioctl and + the close of the client. This was triggered by syzkaller fuzzer, and + a use-after-free was caught there as a result. + + This patch papers over it by adding a proper queue->timer_mutex lock + around the timer-related calls in the relevant code path. + + Reported-by: Dmitry Vyukov + Tested-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai - arch/x86/include/asm/fpu/internal.h | 4 ++-- - arch/x86/kernel/fpu/core.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) + sound/core/seq/seq_queue.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) -commit 26e7d31c5b5c970c50297d2b8be165e9c9ab9d83 -Merge: 85d8735 a851b41 -Author: Brad Spengler -Date: Sun Oct 25 13:39:21 2015 -0400 +commit b9e55ab955e59b4a636d78a748be90334a48b485 +Author: Takashi Iwai +Date: Thu Jan 14 16:30:58 2016 +0100 - Merge branch 'pax-test' into grsec-test + ALSA: timer: Harden slave timer list handling + + A slave timer instance might be still accessible in a racy way while + operating the master instance as it lacks of locking. Since the + master operation is mostly protected with timer->lock, we should cope + with it while changing the slave instance, too. Also, some linked + lists (active_list and ack_list) of slave instances aren't unlinked + immediately at stopping or closing, and this may lead to unexpected + accesses. + + This patch tries to address these issues. It adds spin lock of + timer->lock (either from master or slave, which is equivalent) in a + few places. For avoiding a deadlock, we ensure that the global + slave_active_lock is always locked at first before each timer lock. + + Also, ack and active_list of slave instances are properly unlinked at + snd_timer_stop() and snd_timer_close(). + + Last but not least, remove the superfluous call of _snd_timer_stop() + at removing slave links. This is a noop, and calling it may confuse + readers wrt locking. Further cleanup will follow in a later patch. + + Actually we've got reports of use-after-free by syzkaller fuzzer, and + this hopefully fixes these issues. + + Reported-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai -commit a851b41415a0402d76f10712b6950ddff3872a22 -Author: Brad Spengler -Date: Sun Oct 25 13:38:25 2015 -0400 + sound/core/timer.c | 18 ++++++++++++++---- + 1 files changed, 14 insertions(+), 4 deletions(-) - Update to latest size_overflow plugin release: - Temporarily ignore bitfield types: https://bugs.archlinux.org/task/46798 - Use SI or wider type for the size_overflow type: https://forums.grsecurity.net/viewtopic.php?t=4293&p=15655#p15655 +commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586 +Author: Takashi Iwai +Date: Wed Jan 13 17:48:01 2016 +0100 - .../size_overflow_plugin/intentional_overflow.c | 3 +++ - .../size_overflow_plugin/size_overflow_plugin.c | 2 +- - .../size_overflow_plugin/size_overflow_transform.c | 7 +++++++ - .../size_overflow_transform_core.c | 2 -- - 4 files changed, 11 insertions(+), 3 deletions(-) + ALSA: timer: Fix race among timer ioctls + + ALSA timer ioctls have an open race and this may lead to a + use-after-free of timer instance object. A simplistic fix is to make + each ioctl exclusive. We have already tread_sem for controlling the + tread, and extend this as a global mutex to be applied to each ioctl. + + The downside is, of course, the worse concurrency. But these ioctls + aren't to be parallel accessible, in anyway, so it should be fine to + serialize there. + + Reported-by: Dmitry Vyukov + Tested-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai -commit 85d8735a1d1190e3ad2e3f032ae88f811090fdfc -Author: Brad Spengler -Date: Sun Oct 25 13:01:32 2015 -0400 + sound/core/timer.c | 32 +++++++++++++++++++------------- + 1 files changed, 19 insertions(+), 13 deletions(-) - fpu doesn't live on the task_struct with PaX, so don't even bother computing some task_size - variable that isn't used for anything +commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc +Author: Takashi Iwai +Date: Wed Jan 13 21:35:06 2016 +0100 - arch/x86/kernel/fpu/init.c | 14 -------------- - 1 files changed, 0 insertions(+), 14 deletions(-) + ALSA: timer: Fix double unlink of active_list + + ALSA timer instance object has a couple of linked lists and they are + unlinked unconditionally at snd_timer_stop(). Meanwhile + snd_timer_interrupt() unlinks it, but it calls list_del() which leaves + the element list itself unchanged. This ends up with unlinking twice, + and it was caught by syzkaller fuzzer. + + The fix is to use list_del_init() variant properly there, too. + + Reported-by: Dmitry Vyukov + Tested-by: Dmitry Vyukov + Cc: + Signed-off-by: Takashi Iwai + + sound/core/timer.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit cfd0008de8db38841f7f06b979482900994717b9 +commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75 Author: Hannes Frederic Sowa -Date: Fri Oct 16 11:32:42 2015 +0200 +Date: Mon Jan 18 18:03:48 2016 +0100 - overflow-arith: begin to add support for overflow builtin functions - - The idea of the overflow-arith.h header is to collect overflow checking - functions in one central place. + ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack - If gcc compiler supports the __builtin_overflow_* builtins we use them - because they might give better performance, otherwise the code falls - back to normal overflow checking functions. + It was seen that defective configurations of openvswitch could overwrite + the STACK_END_MAGIC and cause a hard crash of the kernel because of too + many recursions within ovs. - The builtin_overflow functions are supported by gcc-5 and clang. The - matter of supporting clang is to just provide a corresponding - CC_HAVE_BUILTIN_OVERFLOW, because the specific overflow checking builtins - don't differ between gcc and clang. + This problem arises due to the high stack usage of openvswitch. The rest + of the kernel is fine with the current limit of 10 (RECURSION_LIMIT). - I just provide overflow_usub function here as I intend this to get merged - into net, more functions will definitely follow as they are needed. + We use the already existing recursion counter in ovs_execute_actions to + implement an upper bound of 5 recursions. + Cc: Pravin Shelar + Cc: Simon Horman + Cc: Eric Dumazet + Cc: Simon Horman Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller - include/linux/compiler-gcc.h | 4 ++++ - include/linux/overflow-arith.h | 18 ++++++++++++++++++ - 2 files changed, 22 insertions(+), 0 deletions(-) + net/openvswitch/actions.c | 19 ++++++++++++++----- + 1 files changed, 14 insertions(+), 5 deletions(-) -commit 18d5034650b637ec479f41d98e3912398b3e3efc -Author: Hannes Frederic Sowa -Date: Fri Oct 16 11:32:43 2015 +0200 +commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96 +Author: Ursula Braun +Date: Tue Jan 19 10:41:33 2016 +0100 - ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues - - Raw sockets with hdrincl enabled can insert ipv6 extension headers - right into the data stream. In case we need to fragment those packets, - we reparse the options header to find the place where we can insert - the fragment header. If the extension headers exceed the link's MTU we - actually cannot make progress in such a case. - - Instead of ending up in broken arithmetic or rounding towards 0 and - entering an endless loop in ip6_fragment, just prevent those cases by - aborting early and signal -EMSGSIZE to user space. + af_iucv: Validate socket address length in iucv_sock_bind() + Signed-off-by: Ursula Braun Reported-by: Dmitry Vyukov - Cc: Dmitry Vyukov - Signed-off-by: Hannes Frederic Sowa + Reviewed-by: Evgeny Cherkashin Signed-off-by: David S. Miller - net/ipv6/ip6_output.c | 6 +++++- - 1 files changed, 5 insertions(+), 1 deletions(-) + net/iucv/af_iucv.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b +Author: Brad Spengler +Date: Tue Jan 19 19:32:54 2016 -0500 + + Apply the same fix as everyone else for the recent keys vulnerability that is + unexploitable under PAX_REFCOUNT + + Make a couple more changes that no one else can/will + + include/linux/key-type.h | 4 ++-- + ipc/msgutil.c | 4 ++-- + security/keys/internal.h | 2 +- + security/keys/process_keys.c | 1 + + 4 files changed, 6 insertions(+), 5 deletions(-) -commit 0e1d1c0f1981b4049a70d23dce4c69daf19f020b -Merge: c81314c 9470e78 +commit b56c3a63f431c193400aee17543021950bd14bc4 +Merge: 38b1a3d 470069c Author: Brad Spengler -Date: Sun Oct 25 11:51:44 2015 -0400 +Date: Sun Jan 17 18:30:19 2016 -0500 Merge branch 'pax-test' into grsec-test -commit 9470e7893a9a1bf15f9b7d412dc09bebb59105e8 +commit 470069cfedef2180313233d275be5901bd6d1135 Author: Brad Spengler -Date: Sun Oct 25 11:50:54 2015 -0400 +Date: Sun Jan 17 18:29:59 2016 -0500 + + Update to pax-linux-4.3.3-test22.patch: + - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey + - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster + + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++---------- + drivers/gpu/drm/drm_pci.c | 3 +++ + drivers/gpu/drm/gma500/psb_drv.c | 4 ---- + drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++-------- + drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++--- + drivers/gpu/drm/radeon/radeon_drv.c | 4 +--- + drivers/net/usb/asix_common.c | 3 ++- + include/drm/drmP.h | 1 + + 8 files changed, 22 insertions(+), 29 deletions(-) + +commit 38b1a3d676f407865c3d41840df8213c5ad639c1 +Author: Brad Spengler +Date: Sun Jan 17 12:33:53 2016 -0500 - Temporary squelching of overflow warning on skb_transport_offset(), will be fixed properly after H2HC + As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE + mentioned banning execution of suid/sgid binaries, though the kernel + source clearly only mentions banning execution of suid binaries. Since + there's no reason for us to not ban execution of sgid binaries as well, + make the implementation match the Kconfig description. - include/linux/skbuff.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + fs/exec.c | 4 ++-- + grsecurity/grsec_sig.c | 27 ++++++++++++++------------- + include/linux/sched.h | 4 ++-- + 3 files changed, 18 insertions(+), 17 deletions(-) -commit c81314ce278e9cfa3322881a6133c2c7e53b9430 +commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace +Merge: d141a86 ea4a835 Author: Brad Spengler -Date: Sat Oct 24 23:13:36 2015 -0400 +Date: Sat Jan 16 14:12:22 2016 -0500 - Update recordmcount/fixdep paths in RPM spec, from Andrew - - scripts/package/mkspec | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) + Merge branch 'pax-test' into grsec-test + + Conflicts: + drivers/gpu/drm/i810/i810_drv.c -commit 798e4296bd55778b5e77f1db69c1bb972419590f +commit ea4a835328ada6513ac013986764d6caea8cd348 Author: Brad Spengler -Date: Sat Oct 24 23:11:22 2015 -0400 +Date: Sat Jan 16 14:11:30 2016 -0500 - Update size_overflow hash table + Update to pax-linux-4.3.3-test21.patch: + - fixed some fallout from the drm_drivers constification, reported by spender - .../disable_size_overflow_hash.data | 3 +++ - .../size_overflow_plugin/size_overflow_hash.data | 5 +---- - 2 files changed, 4 insertions(+), 4 deletions(-) + drivers/gpu/drm/armada/armada_drv.c | 3 +-- + drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 - + drivers/gpu/drm/i810/i810_dma.c | 2 +- + drivers/gpu/drm/i810/i810_drv.c | 6 +++++- + drivers/gpu/drm/i810/i810_drv.h | 2 +- + 5 files changed, 8 insertions(+), 6 deletions(-) -commit d9ef04f20fc634595883d1c1950c32a8fe04df22 +commit d141a86fd66194bc3f896b6809b189e2f12a9a83 Author: Brad Spengler -Date: Sat Oct 24 08:27:29 2015 -0400 +Date: Sat Jan 16 13:16:36 2016 -0500 - Fix from Emese for https://forums.grsecurity.net/viewtopic.php?f=3&t=4291 + compile fix - drivers/usb/class/cdc-acm.h | 2 +- - include/linux/usb.h | 8 ++++---- - 2 files changed, 5 insertions(+), 5 deletions(-) + drivers/gpu/drm/i810/i810_dma.c | 2 +- + drivers/gpu/drm/i810/i810_drv.c | 4 +++- + drivers/gpu/drm/i810/i810_drv.h | 2 +- + 3 files changed, 5 insertions(+), 3 deletions(-) -commit eea46f1d247f5f63e3762da91a41cba76567800f +commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270 +Merge: 5fa135d bbda879 Author: Brad Spengler -Date: Fri Oct 23 18:24:57 2015 -0400 +Date: Sat Jan 16 12:59:22 2016 -0500 - Update size_overflow hash tables + Merge branch 'pax-test' into grsec-test + +commit bbda87914edf63e27fb46670bf3a373f2b963c73 +Author: Brad Spengler +Date: Sat Jan 16 12:58:04 2016 -0500 - .../disable_size_overflow_hash.data | 5 ++++- - .../size_overflow_plugin/size_overflow_hash.data | 5 +---- - 2 files changed, 5 insertions(+), 5 deletions(-) + Update to pax-linux-4.3.3-test20.patch: + - constified drm_driver + - Emese fixed a special case in handling __func__ in the initify plugin + - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048) + - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli -commit 8f521b864bd7428f3ad42613416c106d1d619c4d -Merge: 26adf00 285f0d1 + arch/x86/kernel/cpu/perf_event.h | 2 +- + arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +- + arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +- + arch/x86/kernel/uprobes.c | 2 +- + arch/x86/mm/mpx.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +- + drivers/gpu/drm/drm_pci.c | 6 +- + drivers/gpu/drm/gma500/psb_drv.c | 5 +- + drivers/gpu/drm/i915/i915_dma.c | 2 +- + drivers/gpu/drm/i915/i915_drv.c | 15 ++-- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++---------- + drivers/gpu/drm/mga/mga_drv.c | 5 +- + drivers/gpu/drm/mga/mga_drv.h | 2 +- + drivers/gpu/drm/mga/mga_state.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++-- + drivers/gpu/drm/qxl/qxl_drv.c | 8 ++- + drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +- + drivers/gpu/drm/r128/r128_drv.c | 4 +- + drivers/gpu/drm/r128/r128_drv.h | 2 +- + drivers/gpu/drm/r128/r128_state.c | 2 +- + drivers/gpu/drm/radeon/radeon_drv.c | 17 +++- + drivers/gpu/drm/radeon/radeon_drv.h | 2 +- + drivers/gpu/drm/radeon/radeon_kms.c | 2 +- + drivers/gpu/drm/radeon/radeon_state.c | 2 +- + drivers/gpu/drm/savage/savage_bci.c | 2 +- + drivers/gpu/drm/savage/savage_drv.c | 5 +- + drivers/gpu/drm/savage/savage_drv.h | 2 +- + drivers/gpu/drm/sis/sis_drv.c | 5 +- + drivers/gpu/drm/sis/sis_drv.h | 2 +- + drivers/gpu/drm/sis/sis_mm.c | 2 +- + drivers/gpu/drm/via/via_dma.c | 2 +- + drivers/gpu/drm/via/via_drv.c | 5 +- + drivers/gpu/drm/via/via_drv.h | 2 +- + include/drm/drmP.h | 2 +- + mm/slab.c | 2 +- + net/sunrpc/xprtrdma/svc_rdma.c | 6 +- + tools/gcc/initify_plugin.c | 15 +++- + .../disable_size_overflow_hash.data | 1 + + .../size_overflow_plugin/size_overflow_hash.data | 3 +- + 42 files changed, 156 insertions(+), 110 deletions(-) + +commit 5fa135dc116350e0205c39ef65eaf6496ed2748a Author: Brad Spengler -Date: Thu Oct 22 19:41:57 2015 -0400 +Date: Sat Jan 16 12:19:23 2016 -0500 - Merge branch 'pax-test' into grsec-test - - Conflicts: - drivers/gpu/drm/drm_lock.c + compile fix + + grsecurity/grsec_sig.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) -commit 285f0d1cda31b45ee217b90861677c032cb6550b -Merge: d6dc25f 190bd21 +commit a9090fa58f33f75c7450fda5721a9b13625a47d9 Author: Brad Spengler -Date: Thu Oct 22 19:40:34 2015 -0400 +Date: Sat Jan 16 12:10:37 2016 -0500 - Merge branch 'linux-4.2.y' into pax-test - - Conflicts: - arch/x86/kernel/process_64.c + As pointed out by Jann Horn, some distros are starting to circumvent + previous assumptions about the attainability of a user to control + multiple UIDs by handing out suid binaries that allow a user to run + processes (including exploits) under a number of other pre-defined + UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE + (though it would have to involve some code path that doesn't involve + locks) fix that here by ensuring no more than 8 users on a system can + be banned before a reboot is required. If more are banned, a panic + is triggered. -commit 26adf00caf8f4ebf155422082d4e8b8e4eb60eef -Author: Eric W. Biederman -Date: Sat Aug 15 13:36:12 2015 -0500 + grsecurity/grsec_sig.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) - dcache: Handle escaped paths in prepend_path - - A rename can result in a dentry that by walking up d_parent - will never reach it's mnt_root. For lack of a better term - I call this an escaped path. - - prepend_path is called by four different functions __d_path, - d_absolute_path, d_path, and getcwd. - - __d_path only wants to see paths are connected to the root it passes - in. So __d_path needs prepend_path to return an error. - - d_absolute_path similarly wants to see paths that are connected to - some root. Escaped paths are not connected to any mnt_root so - d_absolute_path needs prepend_path to return an error greater - than 1. So escaped paths will be treated like paths on lazily - unmounted mounts. +commit a8d37776e9521c567ebff6730d49312f72435f08 +Author: Eric Dumazet +Date: Thu Dec 3 11:12:07 2015 -0800 + + proc: add a reschedule point in proc_readfd_common() - getcwd needs to prepend "(unreachable)" so getcwd also needs - prepend_path to return an error. + User can pass an arbitrary large buffer to getdents(). - d_path is the interesting hold out. d_path just wants to print - something, and does not care about the weird cases. Which raises - the question what should be printed? + It is typically a 32KB buffer used by libc scandir() implementation. - Given that / should result in -ENOENT I - believe it is desirable for escaped paths to be printed as empty - paths. As there are not really any meaninful path components when - considered from the perspective of a mount tree. + When scanning /proc/{pid}/fd, we can hold cpu way too long, + so add a cond_resched() to be kind with other tasks. - So tweak prepend_path to return an empty path with an new error - code of 3 when it encounters an escaped path. + We've seen latencies of more than 50ms on real workloads. - Signed-off-by: "Eric W. Biederman" + Signed-off-by: Eric Dumazet + Cc: Alexander Viro Signed-off-by: Al Viro - fs/dcache.c | 7 +++++++ - 1 files changed, 7 insertions(+), 0 deletions(-) + fs/proc/fd.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) -commit d402147a7689356c29bfd46a7cfa6594e517ab95 -Author: Salva Peiró -Date: Wed Oct 14 17:48:02 2015 +0200 +commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8 +Author: Rabin Vincent +Date: Tue Jan 12 20:17:08 2016 +0100 - staging/dgnc: fix info leak in ioctl + net: bpf: reject invalid shifts - The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of - struct digi_dinfo after the ->dinfo_nboards member. Add an explicit - memset(0) before filling the structure to avoid the info leak. + On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a + constant shift that can't be encoded in the immediate field of the + UBFM/SBFM instructions is passed to the JIT. Since these shifts + amounts, which are negative or >= regsize, are invalid, reject them in + the eBPF verifier and the classic BPF filter checker, for all + architectures. - Signed-off-by: Salva Peiró - Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Rabin Vincent + Acked-by: Alexei Starovoitov + Acked-by: Daniel Borkmann + Signed-off-by: David S. Miller - drivers/staging/dgnc/dgnc_mgmt.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) + kernel/bpf/verifier.c | 10 ++++++++++ + net/core/filter.c | 5 +++++ + 2 files changed, 15 insertions(+), 0 deletions(-) -commit bafc510c4fb4e8a5e69531fdc3a733e58c4bbdbf -Author: Salva Peiró -Date: Wed Oct 7 07:09:26 2015 -0300 +commit c248e115a73496625a1c64660d0eeefd67e55cbf +Author: Marcelo Ricardo Leitner +Date: Fri Jan 8 11:00:54 2016 -0200 - [media] media/vivid-osd: fix info leak in ioctl + sctp: fix use-after-free in pr_debug statement - The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of - struct fb_vblank after the ->hcount member. Add an explicit - memset(0) before filling the structure to avoid the info leak. + Dmitry Vyukov reported a use-after-free in the code expanded by the + macro debug_post_sfx, which is caused by the use of the asoc pointer + after it was freed within sctp_side_effect() scope. - Signed-off-by: Salva Peiró - Signed-off-by: Hans Verkuil - Signed-off-by: Mauro Carvalho Chehab - - drivers/media/platform/vivid/vivid-osd.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -commit 980a903796ae06366fd5acbcd179ee2dc57fbabf -Author: David Howells -Date: Mon Oct 19 11:20:28 2015 +0100 - - KEYS: Don't permit request_key() to construct a new keyring + This patch fixes it by allowing sctp_side_effect to clear that asoc + pointer when the TCB is freed. - If request_key() is used to find a keyring, only do the search part - don't - do the construction part if the keyring was not found by the search. We - don't really want keyrings in the negative instantiated state since the - rejected/negative instantiation error value in the payload is unioned with - keyring metadata. + As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case + because it will trigger DELETE_TCB too on that same loop. - Now the kernel gives an error: + Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED + but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme + above. Fix it by returning SCTP_DISPOSITION_ABORT instead. - request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) + The macro is already prepared to handle such NULL pointer. - Signed-off-by: David Howells + Reported-by: Dmitry Vyukov + Signed-off-by: Marcelo Ricardo Leitner + Acked-by: Vlad Yasevich + Signed-off-by: David S. Miller - security/keys/request_key.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) + net/sctp/sm_sideeffect.c | 11 ++++++----- + net/sctp/sm_statefuns.c | 17 ++++------------- + 2 files changed, 10 insertions(+), 18 deletions(-) -commit f705c157ed6f8a9c4c0cf552fd5f054d9d500550 -Author: Dan Carpenter -Date: Mon Oct 19 13:16:49 2015 +0300 +commit 395ea8a9e73e184fc14153a033000bccf4213213 +Author: willy tarreau +Date: Sun Jan 10 07:54:56 2016 +0100 - irda: precedence bug in irlmp_seq_hb_idx() + unix: properly account for FDs passed over unix sockets + + It is possible for a process to allocate and accumulate far more FDs than + the process' limit by sending them over a unix socket then closing them + to keep the process' fd count low. - This is decrementing the pointer, instead of the value stored in the - pointer. KASan detects it as an out of bounds reference. + This change addresses this problem by keeping track of the number of FDs + in flight per user and preventing non-privileged processes from having + more FDs in flight than their configured FD limit. - Reported-by: "Berry Cheng 程君(成淼)" - Signed-off-by: Dan Carpenter + Reported-by: socketpair@gmail.com + Reported-by: Tetsuo Handa + Mitigates: CVE-2013-4312 (Linux 2.0+) + Suggested-by: Linus Torvalds + Acked-by: Hannes Frederic Sowa + Signed-off-by: Willy Tarreau Signed-off-by: David S. Miller - net/irda/irlmp.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + include/linux/sched.h | 1 + + net/unix/af_unix.c | 24 ++++++++++++++++++++---- + net/unix/garbage.c | 13 ++++++++----- + 3 files changed, 29 insertions(+), 9 deletions(-) -commit 4a110451298bfce895ed224e6bbd9201d8605b2b -Author: Brad Spengler -Date: Tue Oct 20 19:25:13 2015 -0400 +commit cb207ab8fbd71dcfc4a49d533aba8085012543fd +Author: Sasha Levin +Date: Thu Jan 7 14:52:43 2016 -0500 - Ratelimit the dump_stack as well, both to 15s with a burst of 3, enough not to completely - flood syslog + net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory + + proc_dostring() needs an initialized destination string, while the one + provided in proc_sctp_do_hmac_alg() contains stack garbage. + + Thus, writing to cookie_hmac_alg would strlen() that garbage and end up + accessing invalid memory. + + Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic") + Signed-off-by: Sasha Levin + Signed-off-by: David S. Miller - fs/exec.c | 11 +++++++++-- - 1 files changed, 9 insertions(+), 2 deletions(-) + net/sctp/sysctl.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit 183fc2ae7d90e077fd27623998d82916260a2223 -Merge: a240939 d6dc25f -Author: Brad Spengler -Date: Tue Oct 20 19:16:04 2015 -0400 +commit 4014e09faf0fe9054119624ccfff1236e886b554 +Author: Quentin Casasnovas +Date: Tue Nov 24 17:13:21 2015 -0500 - Merge branch 'pax-test' into grsec-test + RDS: fix race condition when sending a message on unbound socket + + commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream. + + Sasha's found a NULL pointer dereference in the RDS connection code when + sending a message to an apparently unbound socket. The problem is caused + by the code checking if the socket is bound in rds_sendmsg(), which checks + the rs_bound_addr field without taking a lock on the socket. This opens a + race where rs_bound_addr is temporarily set but where the transport is not + in rds_bind(), leading to a NULL pointer dereference when trying to + dereference 'trans' in __rds_conn_create(). + + Vegard wrote a reproducer for this issue, so kindly ask him to share if + you're interested. + + I cannot reproduce the NULL pointer dereference using Vegard's reproducer + with this patch, whereas I could without. + + Complete earlier incomplete fix to CVE-2015-6937: + + 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") + + Cc: David S. Miller + + Reviewed-by: Vegard Nossum + Reviewed-by: Sasha Levin + Acked-by: Santosh Shilimkar + Signed-off-by: Quentin Casasnovas + Signed-off-by: David S. Miller + Signed-off-by: Jiri Slaby Conflicts: - tools/gcc/size_overflow_plugin/size_overflow_plugin.c - -commit d6dc25f193a832e08d8e7cf097d7f70b3dc24776 -Author: Brad Spengler -Date: Tue Oct 20 19:14:41 2015 -0400 - - Update to pax-linux-4.2.3-test16.patch: - - fixed undefined integer shift in proc_do_submiturb, reported by Arnaud - - fixed integer underflow in scm_detach_fds (similar to 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 upstream), reported by kdave (https://forums.grsecurity.net/viewtopic.php?f=1&t=4286) - - Emese added a temporary workaround for miscompiling the ath10k driver, reported by victor - - Emese fixed a false positive that affected the iwlwifi driver among others, reported by victor - - Emese disabled size overflow checking in acpi_ex_do_math_op and on acpi_object_integer, reported by xxterry1xx and rfnx (https://forums.grsecurity.net/viewtopic.php?f=3&t=4287) - - drivers/net/wireless/ath/ath10k/ce.c | 2 +- - drivers/usb/core/devio.c | 2 +- - fs/dlm/lowcomms.c | 2 +- - net/core/scm.c | 6 ++- - .../disable_size_overflow_hash.data | 4 +- - .../size_overflow_plugin/intentional_overflow.c | 44 -------------------- - tools/gcc/size_overflow_plugin/size_overflow.h | 1 - - .../size_overflow_plugin/size_overflow_hash.data | 4 +- - .../size_overflow_plugin/size_overflow_plugin.c | 4 +- - .../size_overflow_plugin/size_overflow_transform.c | 3 - - .../size_overflow_transform_core.c | 6 +++ - 11 files changed, 19 insertions(+), 59 deletions(-) - -commit a2409394c2b0d97a9f02bf62ca4c0254602e58a6 -Author: Brad Spengler -Date: Tue Oct 20 08:58:25 2015 -0400 - - set default to y + + net/rds/send.c + + net/rds/connection.c | 6 ------ + 1 files changed, 0 insertions(+), 6 deletions(-) + +commit 206df8d01104344d7588d801016a281a4cd25556 +Author: Sasha Levin +Date: Tue Sep 8 10:53:40 2015 -0400 + + RDS: verify the underlying transport exists before creating a connection + + There was no verification that an underlying transport exists when creating + a connection, this would cause dereferencing a NULL ptr. + + It might happen on sockets that weren't properly bound before attempting to + send a message, which will cause a NULL ptr deref: + + [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN + [135546.051270] Modules linked in: + [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527 + [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000 + [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194) + [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202 + [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000 + [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038 + [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000 + [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000 + [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000 + [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000 + [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0 + [135546.064723] Stack: + [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008 + [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342 + [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00 + [135546.068629] Call Trace: + [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134) + [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298) + [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278) + [135546.071981] rds_sendmsg (net/rds/send.c:1058) + [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38) + [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298) + [135546.074577] ? rds_send_drop_to (net/rds/send.c:976) + [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795) + [135546.076349] ? __might_fault (mm/memory.c:3795) + [135546.077179] ? rds_send_drop_to (net/rds/send.c:976) + [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620) + [135546.078856] SYSC_sendto (net/socket.c:1657) + [135546.079596] ? SYSC_connect (net/socket.c:1628) + [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926) + [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674) + [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) + [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16) + [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16) + [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) + [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1 + + Acked-by: Santosh Shilimkar + Signed-off-by: Sasha Levin + Signed-off-by: David S. Miller - security/Kconfig | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) + net/rds/connection.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) -commit 3abe24117389419654da44adc87a9a03ad7e3f38 -Author: Brad Spengler -Date: Tue Oct 20 08:08:32 2015 -0400 +commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a +Author: Steven Rostedt (Red Hat) +Date: Tue Jan 5 20:32:47 2016 -0500 - Add a new config option from Emese to allow SIZE_OVERFLOW to be enabled - while having it not kill the userland process in an overflow condition. - This will help us obtain reports over the next few weeks while not making - some percentage of users' machines unusable. + ftrace/module: Call clean up function when module init fails early - To enable this option, set CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y in .config - - fs/exec.c | 5 +++++ - security/Kconfig | 4 ++++ - .../size_overflow_plugin/size_overflow_plugin.c | 4 ++-- - 3 files changed, 11 insertions(+), 2 deletions(-) - -commit bcae982f720ce0b3463a81f2b72a4807cb89048b -Merge: 0e55d80 128d3a5 -Author: Brad Spengler -Date: Mon Oct 19 18:56:09 2015 -0400 + If the module init code fails after calling ftrace_module_init() and before + calling do_init_module(), we can suffer from a memory leak. This is because + ftrace_module_init() allocates pages to store the locations that ftrace + hooks are placed in the module text. If do_init_module() fails, it still + calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of + the pages it allocated for the module. But if load_module() fails before + then, the pages allocated by ftrace_module_init() will never be freed. + + Call ftrace_release_mod() on the module if load_module() fails before + getting to do_init_module(). + + Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com + + Reported-by: "Qiu, PeiyangX" + Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()" + Cc: stable@vger.kernel.org # v2.6.38+ + Acked-by: Rusty Russell + Signed-off-by: Steven Rostedt - Merge branch 'pax-test' into grsec-test + include/linux/ftrace.h | 1 + + kernel/module.c | 6 ++++++ + 2 files changed, 7 insertions(+), 0 deletions(-) -commit 128d3a5452ab001b29235b05eb0be3334fff3998 -Author: Brad Spengler -Date: Mon Oct 19 18:55:37 2015 -0400 +commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399 +Author: Francesco Ruggeri +Date: Wed Jan 6 00:18:48 2016 -0800 - Update to pax-linux-4.2.3-test14.patch: - - Emese fixed a false positive size overflow report, reported by gus (https://forums.grsecurity.net/viewtopic.php?t=4280) - - fixed an integer sign mixup in usb_stor_invoke_transport, reported by Arnaud + net: possible use after free in dst_release + + dst_release should not access dst->flags after decrementing + __refcnt to 0. The dst_entry may be in dst_busy_list and + dst_gc_task may dst_destroy it before dst_release gets a chance + to access dst->flags. + + Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()") + Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") + Signed-off-by: Francesco Ruggeri + Acked-by: Eric Dumazet + Signed-off-by: David S. Miller - drivers/usb/storage/transport.c | 2 +- - .../size_overflow_plugin/size_overflow_plugin.c | 2 +- - .../size_overflow_plugin/size_overflow_transform.c | 15 +++- - .../size_overflow_transform_core.c | 90 ++++++++++++++----- - 4 files changed, 81 insertions(+), 28 deletions(-) + net/core/dst.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) -commit 0e55d80a65998266cab71804131a072fcc8ee558 -Merge: a61fd15 9c4310f -Author: Brad Spengler -Date: Sat Oct 17 23:15:36 2015 -0400 +commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc +Author: Alan +Date: Wed Jan 6 14:55:02 2016 +0000 - Merge branch 'pax-test' into grsec-test + mkiss: fix scribble on freed memory + + commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable + scribble on free memory but added a new one which allows the user to + scribble even more and user controlled data into freed space. + + As with 6pack we need to halt the queue before we free the buffers, because + the transmit logic is not protected by the semaphore. + + Signed-off-by: Alan Cox + Signed-off-by: David S. Miller -commit 9c4310fdb2d19f83affc62eb2698d3763ce8c36b -Author: Brad Spengler -Date: Sat Oct 17 23:15:13 2015 -0400 - - Update to pax-linux-4.2.3-test14.patch: - - reverted some page table hardening that caused too much slowdown under virtualization, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275) - - arch/x86/include/asm/pgtable-2level.h | 18 ++---------------- - arch/x86/include/asm/pgtable-3level.h | 10 ---------- - arch/x86/include/asm/pgtable_32.h | 2 ++ - arch/x86/include/asm/pgtable_64.h | 18 ++---------------- - arch/x86/mm/highmem_32.c | 2 ++ - arch/x86/mm/init_64.c | 2 ++ - arch/x86/mm/iomap_32.c | 4 ++++ - arch/x86/mm/pageattr.c | 4 ++++ - arch/x86/mm/pgtable.c | 2 ++ - arch/x86/mm/pgtable_32.c | 3 +++ - mm/highmem.c | 5 +++++ - mm/vmalloc.c | 7 +++++++ - 12 files changed, 35 insertions(+), 42 deletions(-) - -commit a61fd152e87bd3ed91194b07f6b1fcbcd165093b -Merge: 00f1afa db7a8e5 -Author: Brad Spengler -Date: Sat Oct 17 18:33:48 2015 -0400 + drivers/net/hamradio/mkiss.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) - Merge branch 'pax-test' into grsec-test +commit 5cbbcbd32dc1949470f61d342503808fa9555276 +Author: David Miller +Date: Thu Dec 17 16:05:49 2015 -0500 -commit db7a8e5c284179889014b5929a40298e1b228fbc -Author: Brad Spengler -Date: Sat Oct 17 18:33:22 2015 -0400 + mkiss: Fix use after free in mkiss_close(). + + Need to do the unregister_device() after all references to the driver + private have been done. + + Signed-off-by: David S. Miller - Update to pax-linux-4.2.3-test13.patch: - - Emese worked around a sign mixup with wiphy.rts_threshold, reported by gus (https://forums.grsecurity.net/viewtopic.php?f=3&t=4278) + drivers/net/hamradio/mkiss.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) - .../disable_size_overflow_hash.data | 2 ++ - .../size_overflow_plugin/size_overflow_hash.data | 2 -- - 2 files changed, 2 insertions(+), 2 deletions(-) +commit b00171576794a98068e069a660f0991a6a5190ff +Author: One Thousand Gnomes +Date: Tue Jan 5 11:51:25 2016 +0000 -commit 00f1afa694317365e9bd6dc77d2e3e96ae3a68ec -Merge: 7098385 57dc21d -Author: Brad Spengler -Date: Sat Oct 17 11:04:56 2015 -0400 + 6pack: fix free memory scribbles + + commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free + memory scribble but in doing so replaced it with a different one that allows + the user to control the data and scribble even more. + + sixpack_close is called by the tty layer in tty context. The tty context is + protected by sp_get() and sp_put(). However network layer activity via + sp_xmit() is not protected this way. We must therefore stop the queue + otherwise the user gets to dump a buffer mostly of their choice into freed + kernel pages. + + Signed-off-by: Alan Cox + Signed-off-by: David S. Miller - Merge branch 'pax-test' into grsec-test + drivers/net/hamradio/6pack.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) -commit 57dc21d203a9fa1312a4abc608da5b3644d29078 -Author: Brad Spengler -Date: Sat Oct 17 11:04:34 2015 -0400 +commit 5b64a833907cd230a3106aeba2304b2c1bcd116d +Author: David Miller +Date: Thu Dec 17 16:05:32 2015 -0500 - Update to pax-linux-4.2.3-test12.patch: - - removed size_overflow_hash.data.prev that was left behind by accident - - Emese fixed a false positive overflow report in the megaraid driver due to a gcc limitation, reported by vortex (https://forums.grsecurity.net/viewtopic.php?f=3&t=4277) + 6pack: Fix use after free in sixpack_close(). + + Need to do the unregister_device() after all references to the driver + private have been done. + + Also we need to use del_timer_sync() for the timers so that we don't + have any asynchronous references after the unregister. + + Signed-off-by: David S. Miller - drivers/scsi/megaraid/megaraid_sas.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + drivers/net/hamradio/6pack.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) -commit 7098385851c43dea6692508c71cd5fbcce3187b2 -Merge: bc6d23e 78b0f64 -Author: Brad Spengler -Date: Fri Oct 16 17:45:06 2015 -0400 +commit 4f9d532742656b3613d579220fd10c78f24ba37b +Author: Rabin Vincent +Date: Tue Jan 5 16:23:07 2016 +0100 - Merge branch 'pax-test' into grsec-test + net: filter: make JITs zero A for SKF_AD_ALU_XOR_X - Conflicts: - tools/gcc/size_overflow_plugin/intentional_overflow.c - -commit 78b0f643d8d2b870e8ad5df075d4ab79befa4266 -Author: Brad Spengler -Date: Fri Oct 16 17:44:18 2015 -0400 - - Update to pax-linux-4.2.3-test11.patch: - - Emese fixed a few false positives caused by error codes - - simplified the switch_mm code on x86 a bit + The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data + instructions since it XORs A with X while all the others replace A with + some loaded value. All the BPF JITs fail to clear A if this is used as + the first instruction in a filter. This was found using american fuzzy + lop. + + Add a helper to determine if A needs to be cleared given the first + instruction in a filter, and use this in the JITs. Except for ARM, the + rest have only been compile-tested. + + Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum") + Signed-off-by: Rabin Vincent + Acked-by: Daniel Borkmann + Acked-by: Alexei Starovoitov + Signed-off-by: David S. Miller - arch/x86/include/asm/mmu_context.h | 118 +++++-------- - include/drm/drm_mm.h | 2 +- - .../size_overflow_plugin/intentional_overflow.c | 11 +- - tools/gcc/size_overflow_plugin/size_overflow.h | 19 ++- - .../size_overflow_plugin/size_overflow_plugin.c | 2 +- - .../size_overflow_plugin/size_overflow_transform.c | 178 +++++++++----------- - .../size_overflow_transform_core.c | 31 ++-- - 7 files changed, 169 insertions(+), 192 deletions(-) + arch/arm/net/bpf_jit_32.c | 16 +--------------- + arch/mips/net/bpf_jit.c | 16 +--------------- + arch/powerpc/net/bpf_jit_comp.c | 13 ++----------- + arch/sparc/net/bpf_jit_comp.c | 17 ++--------------- + include/linux/filter.h | 19 +++++++++++++++++++ + 5 files changed, 25 insertions(+), 56 deletions(-) -commit bc6d23e3408e389f8a96134f6bc915e9fc8b370b -Author: Brad Spengler -Date: Fri Oct 16 17:28:54 2015 -0400 +commit 570d88f8acfffda92b89ae2e1c47320d47256034 +Author: John Fastabend +Date: Tue Jan 5 09:11:36 2016 -0800 - Update rpm devel spec, thanks to Andrew + net: sched: fix missing free per cpu on qstats + + When a qdisc is using per cpu stats (currently just the ingress + qdisc) only the bstats are being freed. This also free's the qstats. + + Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats") + Signed-off-by: John Fastabend + Acked-by: Eric Dumazet + Acked-by: Daniel Borkmann + Signed-off-by: David S. Miller - scripts/package/mkspec | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) + net/sched/sch_generic.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) -commit b3f30cb9207a72a6aa4a78f23f8c5353be0bb27b -Author: Brad Spengler -Date: Thu Oct 15 20:10:56 2015 -0400 +commit 32c0ebc51857ee83470a10dcb234d308a0ed1881 +Author: Rabin Vincent +Date: Tue Jan 5 18:34:04 2016 +0100 - disable tracing support with GRKERNSEC_KMEM (it forces debugfs support on) + ARM: net: bpf: fix zero right shift + + The LSR instruction cannot be used to perform a zero right shift since a + 0 as the immediate value (imm5) in the LSR instruction encoding means + that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM. + + Make the JIT skip generation of the LSR if a zero-shift is requested. + + This was found using american fuzzy lop. + + Signed-off-by: Rabin Vincent + Acked-by: Alexei Starovoitov + Signed-off-by: David S. Miller - kernel/trace/Kconfig | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + arch/arm/net/bpf_jit_32.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) -commit 82a0c12587f14add438ddf3b558e2278fcb7a387 +commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d Author: Brad Spengler -Date: Thu Oct 15 19:19:43 2015 -0400 - - Force DEBUG_FS off the hard way, since 'select' can cause it to be - inadvertently enabled. Add a backup check that fails the build if - GRKERNSEC_KMEM is enabled with DEBUG_FS - Ditto for PROC_PAGE_MONITOR - - arch/arc/Kconfig | 1 + - arch/arm/Kconfig.debug | 1 + - arch/arm64/Kconfig.debug | 1 + - arch/blackfin/Kconfig.debug | 1 + - arch/s390/Kconfig.debug | 1 + - arch/x86/Kconfig.debug | 2 ++ - drivers/iommu/Kconfig | 1 + - drivers/md/bcache/Kconfig | 1 + - drivers/net/wireless/ath/ath9k/Kconfig | 1 - - include/linux/grsecurity.h | 6 ++++++ - init/Kconfig | 1 + - kernel/trace/Kconfig | 2 ++ - lib/Kconfig.debug | 6 +++++- - mm/Kconfig | 3 +++ - net/sunrpc/Kconfig | 1 + - 15 files changed, 27 insertions(+), 2 deletions(-) - -commit 1b6f8fc8b8100292647638c713326776a0865705 -Author: Brad Spengler -Date: Thu Oct 15 17:58:59 2015 -0400 +Date: Wed Jan 6 20:35:57 2016 -0500 - Force DEBUG_FS off in the kernel config, even having it present is a security - risk + Don't perform hidden lookups in RBAC against the directory of + a file being opened with O_CREAT, reported by Karl Witt Conflicts: - lib/Kconfig.debug + fs/namei.c - lib/Kconfig.debug | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) + fs/namei.c | 3 --- + 1 files changed, 0 insertions(+), 3 deletions(-) -commit 21057fc30571f96aa46acf8922417311905d0f2b -Author: Brad Spengler -Date: Thu Oct 15 08:15:33 2015 -0400 +commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1 +Author: Hannes Frederic Sowa +Date: Tue Jan 5 10:46:00 2016 +0100 - Backport fix from: https://patchwork.kernel.org/patch/6853351/ - The debug_read_tlb() uses the sprintf() functions directly on the buffer - allocated by buf = kmalloc(count), without taking into account the size - of the buffer, with the consequence corrupting the heap, depending on - the count requested by the user. + bridge: Only call /sbin/bridge-stp for the initial network namespace + + [I stole this patch from Eric Biederman. He wrote:] - The patch fixes the issue replacing sprintf() by seq_printf(). + > There is no defined mechanism to pass network namespace information + > into /sbin/bridge-stp therefore don't even try to invoke it except + > for bridge devices in the initial network namespace. + > + > It is possible for unprivileged users to cause /sbin/bridge-stp to be + > invoked for any network device name which if /sbin/bridge-stp does not + > guard against unreasonable arguments or being invoked twice on the + > same network device could cause problems. - Signed-off-by: Salva Peiró + [Hannes: changed patch using netns_eq] + + Cc: Eric W. Biederman + Signed-off-by: Eric W. Biederman + Signed-off-by: Hannes Frederic Sowa + Signed-off-by: David S. Miller - drivers/iommu/omap-iommu-debug.c | 26 +++++++------------------- - drivers/iommu/omap-iommu.c | 28 +++++++++++----------------- - drivers/iommu/omap-iommu.h | 3 +-- - 3 files changed, 19 insertions(+), 38 deletions(-) + net/bridge/br_stp_if.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) -commit ba936d19274485bad900a69d679878a50faa50aa -Author: Joe Perches -Date: Wed Oct 14 01:09:40 2015 -0700 +commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b +Author: Marcelo Ricardo Leitner +Date: Wed Dec 23 16:28:40 2015 -0200 - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings + sctp: use GFP_USER for user-controlled kmalloc - It seems that kernel memory can leak into userspace by a - kmalloc, ethtool_get_strings, then copy_to_user sequence. + Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc") + missed two other spots. - Avoid this by using kcalloc to zero fill the copied buffer. + For connectx, as it's more likely to be used by kernel users of the API, + it detects if GFP_USER should be used or not. - Signed-off-by: Joe Perches - Acked-by: Ben Hutchings + Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc") + Reported-by: Dmitry Vyukov + Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller - net/core/ethtool.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit bae0a8209962cede6a0d486cf2414cac1747f91b -Author: Brad Spengler -Date: Wed Oct 14 19:54:27 2015 -0400 + net/sctp/socket.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) - Update size_overflow hash table +commit 5718a1f63c41fc156f729783423b002763779d04 +Author: Florian Westphal +Date: Thu Dec 31 14:26:33 2015 +0100 - .../size_overflow_plugin/size_overflow_hash.data | 53 +++++++++++++++++-- - 1 files changed, 47 insertions(+), 6 deletions(-) + connector: bump skb->users before callback invocation + + Dmitry reports memleak with syskaller program. + Problem is that connector bumps skb usecount but might not invoke callback. + + So move skb_get to where we invoke the callback. + + Reported-by: Dmitry Vyukov + Signed-off-by: Florian Westphal + Signed-off-by: David S. Miller -commit 1d840cc98b8f9b62d3c906ae24385f79c9131e29 -Author: Brad Spengler -Date: Wed Oct 14 19:50:48 2015 -0400 + drivers/connector/connector.c | 11 +++-------- + 1 files changed, 3 insertions(+), 8 deletions(-) - Update size_overflow hash table +commit 2e6372e6a97f8d642416899861f91777f44f13b7 +Author: Rainer Weikusat +Date: Sun Jan 3 18:56:38 2016 +0000 - .../size_overflow_plugin/size_overflow_hash.data | 1 + + af_unix: Fix splice-bind deadlock + + On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice + system call and AF_UNIX sockets, + + http://lists.openwall.net/netdev/2015/11/06/24 + + The situation was analyzed as + + (a while ago) A: socketpair() + B: splice() from a pipe to /mnt/regular_file + does sb_start_write() on /mnt + C: try to freeze /mnt + wait for B to finish with /mnt + A: bind() try to bind our socket to /mnt/new_socket_name + lock our socket, see it not bound yet + decide that it needs to create something in /mnt + try to do sb_start_write() on /mnt, block (it's + waiting for C). + D: splice() from the same pipe to our socket + lock the pipe, see that socket is connected + try to lock the socket, block waiting for A + B: get around to actually feeding a chunk from + pipe to file, try to lock the pipe. Deadlock. + + on 2015/11/10 by Al Viro, + + http://lists.openwall.net/netdev/2015/11/10/4 + + The patch fixes this by removing the kern_path_create related code from + unix_mknod and executing it as part of unix_bind prior acquiring the + readlock of the socket in question. This means that A (as used above) + will sb_start_write on /mnt before it acquires the readlock, hence, it + won't indirectly block B which first did a sb_start_write and then + waited for a thread trying to acquire the readlock. Consequently, A + being blocked by C waiting for B won't cause a deadlock anymore + (effectively, both A and B acquire two locks in opposite order in the + situation described above). + + Dmitry Vyukov() tested the original patch. + + Signed-off-by: Rainer Weikusat + Signed-off-by: David S. Miller + + Conflicts: + + net/unix/af_unix.c + + net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++-------------------- + 1 files changed, 42 insertions(+), 28 deletions(-) + +commit 2e729e557c571f3253e32472cd7d382ac16cf1c3 +Author: Qiu Peiyang +Date: Thu Dec 31 13:11:28 2015 +0800 + + tracing: Fix setting of start_index in find_next() + + When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel + panic at t_show. + + general protection fault: 0000 [#1] PREEMPT SMP + CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2 + RIP: 0010:[] + [] t_show+0x22/0xe0 + RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1 + RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec + R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0 + R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570 + FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40 + CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 + CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0 + Call Trace: + [] seq_read+0x2f6/0x3e0 + [] vfs_read+0x9b/0x160 + [] SyS_read+0x49/0xb0 + [] ia32_do_call+0x13/0x13 + ---[ end trace 5bd9eb630614861e ]--- + Kernel panic - not syncing: Fatal exception + + When the first time find_next calls find_next_mod_format, it should + iterate the trace_bprintk_fmt_list to find the first print format of + the module. However in current code, start_index is smaller than *pos + at first, and code will not iterate the list. Latter container_of will + get the wrong address with former v, which will cause mod_fmt be a + meaningless object and so is the returned mod_fmt->fmt. + + This patch will fix it by correcting the start_index. After fixed, + when the first time calls find_next_mod_format, start_index will be + equal to *pos, and code will iterate the trace_bprintk_fmt_list to + get the right module printk format, so is the returned mod_fmt->fmt. + + Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com + + Cc: stable@vger.kernel.org # 3.12+ + Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers" + Signed-off-by: Qiu Peiyang + Signed-off-by: Steven Rostedt + + kernel/trace/trace_printk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) -commit fca9b7af6aebd1d80f364d6d849470e917919004 -Author: Brad Spengler -Date: Wed Oct 14 19:47:21 2015 -0400 +commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4 +Author: Al Viro +Date: Mon Dec 28 20:47:08 2015 -0500 - Update size_overflow hash table + [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64() + + Cc: stable@vger.kernel.org # 3.15+ + Reviewed-by: Jeff Layton + Signed-off-by: Al Viro - .../size_overflow_plugin/size_overflow_hash.data | 300 ++++++++++++++++---- - 1 files changed, 244 insertions(+), 56 deletions(-) + arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------ + 1 files changed, 37 insertions(+), 36 deletions(-) -commit 07cadc277ba83222698c99091c7da2c28275981f +commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351 +Merge: de243c2 3adc55a Author: Brad Spengler -Date: Wed Oct 14 19:39:44 2015 -0400 +Date: Tue Jan 5 18:10:10 2016 -0500 - squelch some informational messages only used by Emese + Merge branch 'pax-test' into grsec-test - .../size_overflow_plugin/intentional_overflow.c | 6 +++--- - 1 files changed, 3 insertions(+), 3 deletions(-) +commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0 +Author: Brad Spengler +Date: Tue Jan 5 18:08:53 2016 -0500 + + Update to pax-linux-4.3.3-test16.patch: + - small cleanup in entry_64.S on x86 + - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes + - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354) + - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353) + - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916) + - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420) + + arch/x86/entry/entry_64.S | 60 +++++----- + arch/x86/kernel/alternative.c | 2 +- + arch/x86/kvm/emulate.c | 4 +- + tools/gcc/initify_plugin.c | 123 +++++++++---------- + .../disable_size_overflow_hash.data | 4 +- + .../size_overflow_plugin/size_overflow_hash.data | 2 - + 6 files changed, 93 insertions(+), 102 deletions(-) -commit 77eeeac20bde1e0ebd72efe0f7b5c52786411bc7 +commit de243c26efd0e423ca92db825af2c3f8eb1ca043 Author: Brad Spengler -Date: Wed Oct 14 19:15:56 2015 -0400 +Date: Tue Dec 29 18:01:24 2015 -0500 - Re-enable size_overflow + It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP + which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only + did so if RLIMIT_DATA was set lower than PAGE_SIZE. + + This addition was only supplemental as GRKERNSEC_BRUTE is the main defense + against suid/sgid attacks and the flaw above would only eliminate the extra + entropy provided for the brk-managed heap, still leaving it with the minimum + of 16-bit entropy for mmap on x86 and 28 on x64. - security/Kconfig | 1 - - 1 files changed, 0 insertions(+), 1 deletions(-) + mm/mmap.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -commit cb8efa1fd63be1bbcf5e585396cc0ed562d0c624 -Merge: 913cbf6 4c48a7f +commit 8e264cfe47e5f08cdc9ed009a630277206cd2534 +Merge: 436201b 2584340 Author: Brad Spengler -Date: Wed Oct 14 17:14:42 2015 -0400 +Date: Mon Dec 28 20:30:01 2015 -0500 Merge branch 'pax-test' into grsec-test - - Conflicts: - tools/gcc/size_overflow_plugin/size_overflow_hash.data -commit 4c48a7fc8df9310f994708b42fe1102a2943917c +commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306 Author: Brad Spengler -Date: Wed Oct 14 17:12:54 2015 -0400 - - Update to pax-linux-4.2.3-test10.patch: - - fixed accidentally dropped csum_partial_copy_generic_to_user entry point for pre-P6 i386 configs, by minipli - - Emese fixed a bunch of false positives with the size overflow plugin, let's see how it goes in the real world :) - - arch/x86/include/asm/processor.h | 2 +- - arch/x86/include/asm/ptrace.h | 8 +- - arch/x86/lib/checksum_32.S | 2 + - arch/x86/xen/mmu.c | 2 +- - drivers/ata/libahci.c | 2 +- - drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- - drivers/oprofile/oprofile_files.c | 2 +- - drivers/spi/spidev.c | 2 +- - drivers/tty/n_tty.c | 2 +- - drivers/usb/core/message.c | 6 +- - fs/binfmt_elf.c | 2 +- - fs/ubifs/io.c | 2 +- - include/drm/drm_mm.h | 2 +- - include/linux/completion.h | 12 +- - include/linux/jiffies.h | 10 +- - include/linux/kernel.h | 2 +- - include/linux/mm.h | 2 +- - include/linux/random.h | 4 +- - include/linux/sched.h | 2 +- - include/linux/usb.h | 2 +- - kernel/sched/completion.c | 6 +- - kernel/time/timer.c | 2 +- - lib/bitmap.c | 2 +- - mm/internal.h | 2 +- - net/sunrpc/svcauth_unix.c | 2 +- - .../disable_size_overflow_hash.data |22980 +++++++++++--------- - .../insert_size_overflow_asm.c | 7 + - .../size_overflow_plugin/intentional_overflow.c | 10 +- - tools/gcc/size_overflow_plugin/size_overflow.h | 29 +- - .../gcc/size_overflow_plugin/size_overflow_debug.c | 20 +- - .../size_overflow_plugin/size_overflow_hash.data |14092 ++++++++---- - tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 252 +- - .../size_overflow_plugin/size_overflow_plugin.c | 2 +- - .../size_overflow_plugin_hash.c | 13 +- - .../size_overflow_plugin/size_overflow_transform.c | 205 +- - .../size_overflow_transform_core.c | 4 +- - 36 files changed, 21958 insertions(+), 15740 deletions(-) - -commit 913cbf6a23fcad570b776b1a5a71242b909c5c99 -Author: Dave Kleikamp -Date: Mon Oct 5 10:08:51 2015 -0500 - - crypto: sparc - initialize blkcipher.ivsize - - Some of the crypto algorithms write to the initialization vector, - but no space has been allocated for it. This clobbers adjacent memory. +Date: Mon Dec 28 20:29:28 2015 -0500 + + Update to pax-linux-4.3.3-test14.patch: + - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349) + - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion + - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger + - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350) + - fixed an assert in the initify plugin that triggered in vic_register on arm + + arch/arm/include/asm/atomic.h | 7 +++++-- + arch/arm/include/asm/domain.h | 5 ++--- + arch/x86/kernel/tboot.c | 14 +++++++++----- + drivers/hv/channel.c | 4 +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +- + drivers/net/hyperv/rndis_filter.c | 3 +-- + fs/exec.c | 4 ++-- + include/linux/atomic.h | 15 --------------- + net/core/skbuff.c | 3 ++- + tools/gcc/initify_plugin.c | 4 +++- + 10 files changed, 26 insertions(+), 35 deletions(-) + +commit 436201b6626b488d173c8076447000077c27b84a +Author: David Howells +Date: Fri Dec 18 01:34:26 2015 +0000 + + KEYS: Fix race between read and revoke + + This fixes CVE-2015-7550. + + There's a race between keyctl_read() and keyctl_revoke(). If the revoke + happens between keyctl_read() checking the validity of a key and the key's + semaphore being taken, then the key type read method will see a revoked key. + + This causes a problem for the user-defined key type because it assumes in + its read method that there will always be a payload in a non-revoked key + and doesn't check for a NULL pointer. + + Fix this by making keyctl_read() check the validity of a key after taking + semaphore instead of before. + + I think the bug was introduced with the original keyrings code. + + This was discovered by a multithreaded test program generated by syzkaller + (http://github.com/google/syzkaller). Here's a cleaned up version: + + #include + #include + #include + void *thr0(void *arg) + { + key_serial_t key = (unsigned long)arg; + keyctl_revoke(key); + return 0; + } + void *thr1(void *arg) + { + key_serial_t key = (unsigned long)arg; + char buffer[16]; + keyctl_read(key, buffer, 16); + return 0; + } + int main() + { + key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); + pthread_t th[5]; + pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); + pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); + pthread_join(th[0], 0); + pthread_join(th[1], 0); + pthread_join(th[2], 0); + pthread_join(th[3], 0); + return 0; + } + + Build as: + + cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread + + Run as: + + while keyctl-race; do :; done + + as it may need several iterations to crash the kernel. The crash can be + summarised as: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: [] user_read+0x56/0xa3 + ... + Call Trace: + [] keyctl_read_key+0xb6/0xd7 + [] SyS_keyctl+0x83/0xe0 + [] entry_SYSCALL_64_fastpath+0x12/0x6f + Reported-by: Dmitry Vyukov + Signed-off-by: David Howells + Tested-by: Dmitry Vyukov Cc: stable@vger.kernel.org - Signed-off-by: Dave Kleikamp - Signed-off-by: Herbert Xu + Signed-off-by: James Morris - arch/sparc/crypto/aes_glue.c | 2 ++ - arch/sparc/crypto/camellia_glue.c | 1 + - arch/sparc/crypto/des_glue.c | 2 ++ - 3 files changed, 5 insertions(+), 0 deletions(-) + security/keys/keyctl.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) -commit 7af7ad1e287067b7ea659dc0dd3e2e355588e246 +commit 195cea04477025da4a2078bd3e1fb7c4e11206c2 Author: Brad Spengler -Date: Tue Oct 13 08:03:51 2015 -0400 - - Apply fix by Tejun Heo for upstream bug reported on the forums by Fuxino: - https://forums.grsecurity.net/viewtopic.php?f=3&t=4276#p15570 - - Probably made more easily reproducible via SANITIZE, but we won't know for - sure without a full oops report. - - For some reason even though this patch was marked for 4.2+ stable over a month - ago, it still hasn't hit Greg's tree. +Date: Tue Dec 22 20:44:01 2015 -0500 - block/blk-cgroup.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) + Add new kernel command-line param: pax_size_overflow_report_only + If a user triggers a size_overflow violation that makes it difficult + to obtain the call trace without serial console/net console, they can + use this option to provide that information to us -commit 8e1f29f9e1af36f71d12213ea6530eb77014c00c -Author: Dmitry Vyukov -Date: Thu Sep 17 17:17:10 2015 +0200 - - tty: fix data race on tty_buffer.commit - - Race on buffer data happens when newly committed data is - picked up by an old flush work in the following scenario: - __tty_buffer_request_room does a plain write of tail->commit, - no barriers were executed before that. - At this point flush_to_ldisc reads this new value of commit, - and reads buffer data, no barriers in between. - The committed buffer data is not necessary visible to flush_to_ldisc. - - Similar bug happens when tty_schedule_flip commits data. - - Update commit with smp_store_release and read commit with - smp_load_acquire, as it is commit that signals data readiness. - This is orthogonal to the existing synchronization on tty_buffer.next, - which is required to not dismiss a buffer with unconsumed data. - - The data race was found with KernelThreadSanitizer (KTSAN). - - Signed-off-by: Dmitry Vyukov - Reviewed-by: Peter Hurley - Signed-off-by: Greg Kroah-Hartman - - drivers/tty/tty_buffer.c | 15 ++++++++++++--- - 1 files changed, 12 insertions(+), 3 deletions(-) - -commit d62db216e7182e24317596471c1a3a2a9fb9d1f5 -Author: Peter Hurley -Date: Sun Jul 12 20:50:49 2015 -0400 - - tty: Replace smp_rmb/smp_wmb with smp_load_acquire/smp_store_release - - Clarify flip buffer producer/consumer operation; the use of - smp_load_acquire() and smp_store_release() more clearly indicates - which memory access requires a barrier. - - Signed-off-by: Peter Hurley - Signed-off-by: Greg Kroah-Hartman - - drivers/tty/tty_buffer.c | 10 ++++------ - 1 files changed, 4 insertions(+), 6 deletions(-) - -commit c6bbe8a6097f869b6a3d3c40d456727180573dd9 -Author: Kosuke Tatsukawa -Date: Fri Oct 2 08:27:05 2015 +0000 - - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c - - My colleague ran into a program stall on a x86_64 server, where - n_tty_read() was waiting for data even if there was data in the buffer - in the pty. kernel stack for the stuck process looks like below. - #0 [ffff88303d107b58] __schedule at ffffffff815c4b20 - #1 [ffff88303d107bd0] schedule at ffffffff815c513e - #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818 - #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2 - #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23 - #5 [ffff88303d107dd0] tty_read at ffffffff81368013 - #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704 - #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57 - #8 [ffff88303d107f00] sys_read at ffffffff811a4306 - #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7 - - There seems to be two problems causing this issue. - - First, in drivers/tty/n_tty.c, __receive_buf() stores the data and - updates ldata->commit_head using smp_store_release() and then checks - the wait queue using waitqueue_active(). However, since there is no - memory barrier, __receive_buf() could return without calling - wake_up_interactive_poll(), and at the same time, n_tty_read() could - start to wait in wait_woken() as in the following chart. - - __receive_buf() n_tty_read() - ------------------------------------------------------------------------ - if (waitqueue_active(&tty->read_wait)) - /* Memory operations issued after the - RELEASE may be completed before the - RELEASE operation has completed */ - add_wait_queue(&tty->read_wait, &wait); - ... - if (!input_available_p(tty, 0)) { - smp_store_release(&ldata->commit_head, - ldata->read_head); - ... - timeout = wait_woken(&wait, - TASK_INTERRUPTIBLE, timeout); - ------------------------------------------------------------------------ - - The second problem is that n_tty_read() also lacks a memory barrier - call and could also cause __receive_buf() to return without calling - wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken() - as in the chart below. - - __receive_buf() n_tty_read() - ------------------------------------------------------------------------ - spin_lock_irqsave(&q->lock, flags); - /* from add_wait_queue() */ - ... - if (!input_available_p(tty, 0)) { - /* Memory operations issued after the - RELEASE may be completed before the - RELEASE operation has completed */ - smp_store_release(&ldata->commit_head, - ldata->read_head); - if (waitqueue_active(&tty->read_wait)) - __add_wait_queue(q, wait); - spin_unlock_irqrestore(&q->lock,flags); - /* from add_wait_queue() */ - ... - timeout = wait_woken(&wait, - TASK_INTERRUPTIBLE, timeout); - ------------------------------------------------------------------------ - - There are also other places in drivers/tty/n_tty.c which have similar - calls to waitqueue_active(), so instead of adding many memory barrier - calls, this patch simply removes the call to waitqueue_active(), - leaving just wake_up*() behind. - - This fixes both problems because, even though the memory access before - or after the spinlocks in both wake_up*() and add_wait_queue() can - sneak into the critical section, it cannot go past it and the critical - section assures that they will be serialized (please see "INTER-CPU - ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a - better explanation). Moreover, the resulting code is much simpler. - - Latency measurement using a ping-pong test over a pty doesn't show any - visible performance drop. - - Signed-off-by: Kosuke Tatsukawa - Cc: stable@vger.kernel.org - Signed-off-by: Greg Kroah-Hartman + Documentation/kernel-parameters.txt | 5 +++++ + fs/exec.c | 12 +++++++++--- + init/main.c | 11 +++++++++++ + 3 files changed, 25 insertions(+), 3 deletions(-) - drivers/tty/n_tty.c | 15 +++++---------- - 1 files changed, 5 insertions(+), 10 deletions(-) +commit 4254a8da5851df8c08cdca5c392916e8c105408d +Author: WANG Cong +Date: Mon Dec 21 10:55:45 2015 -0800 -commit 3af2011ac1a085a3e8c57ca3a840aec393b37db3 -Author: Dmitry Vyukov -Date: Thu Sep 17 17:17:08 2015 +0200 - - tty: fix data race in flush_to_ldisc - - flush_to_ldisc reads port->itty and checks that it is not NULL, - concurrently release_tty sets port->itty to NULL. It is possible - that flush_to_ldisc loads port->itty once, ensures that it is - not NULL, but then reloads it again and uses. The second load - can already return NULL, which will cause a crash. - - Use READ_ONCE to read port->itty. + addrconf: always initialize sysctl table data - The data race was found with KernelThreadSanitizer (KTSAN). + When sysctl performs restrict writes, it allows to write from + a middle position of a sysctl file, which requires us to initialize + the table data before calling proc_dostring() for the write case. - Signed-off-by: Dmitry Vyukov - Reviewed-by: Peter Hurley - Signed-off-by: Greg Kroah-Hartman + Fixes: 3d1bec99320d ("ipv6: introduce secret_stable to ipv6_devconf") + Reported-by: Sasha Levin + Acked-by: Hannes Frederic Sowa + Tested-by: Sasha Levin + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller - drivers/tty/tty_buffer.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + net/ipv6/addrconf.c | 11 ++++------- + 1 files changed, 4 insertions(+), 7 deletions(-) -commit 4a433f384b0a5b7e39f969ee8df89c56537d078d -Author: Dmitry Vyukov -Date: Thu Sep 17 17:17:09 2015 +0200 +commit f8002863fb06c363180637046947a78a6ccb3d33 +Author: WANG Cong +Date: Wed Dec 16 23:39:04 2015 -0800 - tty: fix data race in tty_buffer_flush + net: check both type and procotol for tcp sockets - tty_buffer_flush frees not acquired buffers. - As the result, for example, read of b->size in tty_buffer_free - can return garbage value which will lead to a huge buffer - hanging in the freelist. This is just the benignest - manifestation of freeing of a not acquired object. - If the object is passed to kfree, heap can be corrupted. + Dmitry reported the following out-of-bound access: - Acquire visibility over the buffer before freeing it. + Call Trace: + [] __asan_report_load4_noabort+0x3e/0x40 + mm/kasan/report.c:294 + [] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880 + [< inline >] SYSC_setsockopt net/socket.c:1746 + [] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729 + [] entry_SYSCALL_64_fastpath+0x16/0x7a + arch/x86/entry/entry_64.S:185 - The data race was found with KernelThreadSanitizer (KTSAN). + This is because we mistake a raw socket as a tcp socket. + We should check both sk->sk_type and sk->sk_protocol to ensure + it is a tcp socket. - Signed-off-by: Dmitry Vyukov - Reviewed-by: Peter Hurley - Signed-off-by: Greg Kroah-Hartman - - drivers/tty/tty_buffer.c | 5 ++++- - 1 files changed, 4 insertions(+), 1 deletions(-) - -commit 1477c439d65debf45ac3164a1615504131fad1ff -Author: Jann Horn -Date: Sun Oct 4 19:29:12 2015 +0200 - - drivers/tty: require read access for controlling terminal - - This is mostly a hardening fix, given that write-only access to other - users' ttys is usually only given through setgid tty executables. + Willem points out __skb_complete_tx_timestamp() needs to fix as well. - Signed-off-by: Jann Horn - Cc: stable@vger.kernel.org - Signed-off-by: Greg Kroah-Hartman + Reported-by: Dmitry Vyukov + Cc: Willem de Bruijn + Cc: Eric Dumazet + Signed-off-by: Cong Wang + Acked-by: Willem de Bruijn + Signed-off-by: David S. Miller - drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++---- - 1 files changed, 27 insertions(+), 4 deletions(-) + net/core/skbuff.c | 3 ++- + net/core/sock.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) -commit c2d51348729aa244b827216715db7734daf07155 -Author: Brad Spengler -Date: Mon Oct 12 07:19:03 2015 -0400 +commit bd6b3399804470a4ad8f34229469ca149dceba3d +Author: Colin Ian King +Date: Fri Dec 18 14:22:01 2015 -0800 - Don't auto-enable UDEREF on x64 with a VirtualBox host + proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter - Conflicts: + Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit + 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed + the setting of ret after the get_proc_task call and incorrectly left it as + -ESRCH. Instead, return 0 when successful. - security/Kconfig - - security/Kconfig | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -commit 45ff0fe97624b7133be6f0280ab8fda4610b7937 -Merge: ca6828e 1c527d2 -Author: Brad Spengler -Date: Sun Oct 11 17:17:58 2015 -0400 - - Merge branch 'pax-test' into grsec-test + Example breakage: - Conflicts: - arch/x86/mm/pgtable.c - -commit 1c527d25ad2ece4cdb4723047625d96b942a3b91 -Author: Brad Spengler -Date: Sun Oct 11 17:16:49 2015 -0400 - - Update to pax-linux-4.2.3-test9.patch: - - really fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) and quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275) - - fixed a compilation error caused by the above regression, reported by spender - - fixed an arm compilation error, reported by Emese - - arch/arm/kernel/module-plts.c | 7 +------ - arch/x86/mm/pgtable.c | 21 +++++++++++++++++++-- - 2 files changed, 20 insertions(+), 8 deletions(-) - -commit ca6828e73b10b4a7537b16a37c2c0280523171e1 -Author: Trond Myklebust -Date: Fri Oct 9 13:44:34 2015 -0400 - - namei: results of d_is_negative() should be checked after dentry revalidation - - Leandro Awa writes: - "After switching to version 4.1.6, our parallelized and distributed - workflows now fail consistently with errors of the form: - - T34: ./regex.c:39:22: error: config.h: No such file or directory - - From our 'git bisect' testing, the following commit appears to be the - possible cause of the behavior we've been seeing: commit 766c4cbfacd8" - - Al Viro says: - "What happens is that 766c4cbfacd8 got the things subtly wrong. - - We used to treat d_is_negative() after lookup_fast() as "fall with - ENOENT". That was wrong - checking ->d_flags outside of ->d_seq - protection is unreliable and failing with hard error on what should've - fallen back to non-RCU pathname resolution is a bug. - - Unfortunately, we'd pulled the test too far up and ran afoul of - another kind of staleness. The dentry might have been absolutely - stable from the RCU point of view (and we might be on UP, etc), but - stale from the remote fs point of view. If ->d_revalidate() returns - "it's actually stale", dentry gets thrown away and the original code - wouldn't even have looked at its ->d_flags. - - What we need is to check ->d_flags where 766c4cbfacd8 does (prior to - ->d_seq validation) but only use the result in cases where we do not - discard this dentry outright" - - Reported-by: Leandro Awa - Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911 - Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...") - Tested-by: Leandro Awa - Cc: stable@vger.kernel.org # v4.1+ - Signed-off-by: Trond Myklebust - Acked-by: Al Viro + echo 0 > /proc/self/coredump_filter + bash: echo: write error: No such process + + Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") + Signed-off-by: Colin Ian King + Acked-by: Kees Cook + Cc: [4.3+] + Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds - fs/namei.c | 8 ++++++-- - 1 files changed, 6 insertions(+), 2 deletions(-) - -commit c0181260ce096a814637ad60e45a64c94840fffa -Author: Matt Fleming -Date: Fri Sep 25 23:02:18 2015 +0100 - - x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down - - Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced - that signals that the firmware PE/COFF loader supports splitting - code and data sections of PE/COFF images into separate EFI - memory map entries. This allows the kernel to map those regions - with strict memory protections, e.g. EFI_MEMORY_RO for code, - EFI_MEMORY_XP for data, etc. - - Unfortunately, an unwritten requirement of this new feature is - that the regions need to be mapped with the same offsets - relative to each other as observed in the EFI memory map. If - this is not done crashes like this may occur, - - BUG: unable to handle kernel paging request at fffffffefe6086dd - IP: [] 0xfffffffefe6086dd - Call Trace: - [] efi_call+0x7e/0x100 - [] ? virt_efi_set_variable+0x61/0x90 - [] efi_delete_dummy_variable+0x63/0x70 - [] efi_enter_virtual_mode+0x383/0x392 - [] start_kernel+0x38a/0x417 - [] x86_64_start_reservations+0x2a/0x2c - [] x86_64_start_kernel+0xeb/0xef - - Here 0xfffffffefe6086dd refers to an address the firmware - expects to be mapped but which the OS never claimed was mapped. - The issue is that included in these regions are relative - addresses to other regions which were emitted by the firmware - toolchain before the "splitting" of sections occurred at - runtime. - - Needless to say, we don't satisfy this unwritten requirement on - x86_64 and instead map the EFI memory map entries in reverse - order. The above crash is almost certainly triggerable with any - kernel newer than v3.13 because that's when we rewrote the EFI - runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi: - Runtime services virtual mapping"). For kernel versions before - v3.13 things may work by pure luck depending on the - fragmentation of the kernel virtual address space at the time we - map the EFI regions. - - Instead of mapping the EFI memory map entries in reverse order, - where entry N has a higher virtual address than entry N+1, map - them in the same order as they appear in the EFI memory map to - preserve this relative offset between regions. - - This patch has been kept as small as possible with the intention - that it should be applied aggressively to stable and - distribution kernels. It is very much a bugfix rather than - support for a new feature, since when EFI_PROPERTIES_TABLE is - enabled we must map things as outlined above to even boot - we - have no way of asking the firmware not to split the code/data - regions. - - In fact, this patch doesn't even make use of the more strict - memory protections available in UEFI v2.5. That will come later. - - Suggested-by: Ard Biesheuvel - Reported-by: Ard Biesheuvel - Signed-off-by: Matt Fleming - Cc: - Cc: Borislav Petkov - Cc: Chun-Yi - Cc: Dave Young - Cc: H. Peter Anvin - Cc: James Bottomley - Cc: Lee, Chun-Yi - Cc: Leif Lindholm - Cc: Linus Torvalds - Cc: Matthew Garrett - Cc: Mike Galbraith - Cc: Peter Jones - Cc: Peter Zijlstra - Cc: Thomas Gleixner - Cc: linux-kernel@vger.kernel.org - Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk - Signed-off-by: Ingo Molnar - - arch/x86/platform/efi/efi.c | 67 ++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 66 insertions(+), 1 deletions(-) - -commit 9377caab146791c8c587da3750d6eddcd01bdfba -Author: Ard Biesheuvel -Date: Fri Sep 25 23:02:19 2015 +0100 - - arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions - - The new Properties Table feature introduced in UEFIv2.5 may - split memory regions that cover PE/COFF memory images into - separate code and data regions. Since these regions only differ - in the type (runtime code vs runtime data) and the permission - bits, but not in the memory type attributes (UC/WC/WT/WB), the - spec does not require them to be aligned to 64 KB. - - Since the relative offset of PE/COFF .text and .data segments - cannot be changed on the fly, this means that we can no longer - pad out those regions to be mappable using 64 KB pages. - Unfortunately, there is no annotation in the UEFI memory map - that identifies data regions that were split off from a code - region, so we must apply this logic to all adjacent runtime - regions whose attributes only differ in the permission bits. - - So instead of rounding each memory region to 64 KB alignment at - both ends, only round down regions that are not directly - preceded by another runtime region with the same type - attributes. Since the UEFI spec does not mandate that the memory - map be sorted, this means we also need to sort it first. - - Note that this change will result in all EFI_MEMORY_RUNTIME - regions whose start addresses are not aligned to the OS page - size to be mapped with executable permissions (i.e., on kernels - compiled with 64 KB pages). However, since these mappings are - only active during the time that UEFI Runtime Services are being - invoked, the window for abuse is rather small. - - Tested-by: Mark Salter - Tested-by: Mark Rutland [UEFI 2.4 only] - Signed-off-by: Ard Biesheuvel - Signed-off-by: Matt Fleming - Reviewed-by: Mark Salter - Reviewed-by: Mark Rutland - Cc: # v4.0+ - Cc: Catalin Marinas - Cc: Leif Lindholm - Cc: Linus Torvalds - Cc: Mike Galbraith - Cc: Peter Zijlstra - Cc: Thomas Gleixner - Cc: Will Deacon - Cc: linux-kernel@vger.kernel.org - Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk - Signed-off-by: Ingo Molnar - - arch/arm64/kernel/efi.c | 3 +- - drivers/firmware/efi/libstub/arm-stub.c | 88 +++++++++++++++++++++++++----- - 2 files changed, 75 insertions(+), 16 deletions(-) - -commit 189124f1e733622c44d72060832af3c68d7ee8bc -Author: Ralf Baechle -Date: Fri Oct 2 09:48:57 2015 +0200 - - MIPS: BPF: Fix load delay slots. - - The entire bpf_jit_asm.S is written in noreorder mode because "we know - better" according to a comment. This also prevented the assembler from - throwing in the required NOPs for MIPS I processors which have no - load-use interlock, thus the load's consumer might end up using the - old value of the register from prior to the load. - - Fixed by putting the assembler in reorder mode for just the affected - load instructions. This is not enough for gas to actually try to be - clever by looking at the next instruction and inserting a nop only - when needed but as the comment said "we know better", so getting gas - to unconditionally emit a NOP is just right in this case and prevents - adding further ifdefery. - - Signed-off-by: Ralf Baechle - - arch/mips/net/bpf_jit_asm.S | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -commit b4b012d6599fbc3c6e81f0a03cd59eb9f0095ed8 -Author: Lee, Chun-Yi -Date: Tue Sep 29 20:58:57 2015 +0800 - - x86/kexec: Fix kexec crash in syscall kexec_file_load() - - The original bug is a page fault crash that sometimes happens - on big machines when preparing ELF headers: - - BUG: unable to handle kernel paging request at ffffc90613fc9000 - IP: [] prepare_elf64_ram_headers_callback+0x165/0x260 - - The bug is caused by us under-counting the number of memory ranges - and subsequently not allocating enough ELF header space for them. - The bug is typically masked on smaller systems, because the ELF header - allocation is rounded up to the next page. - - This patch modifies the code in fill_up_crash_elf_data() by using - walk_system_ram_res() instead of walk_system_ram_range() to correctly - count the max number of crash memory ranges. That's because the - walk_system_ram_range() filters out small memory regions that - reside in the same page, but walk_system_ram_res() does not. - - Here's how I found the bug: - - After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(), - the code uses walk_system_ram_res() to fill-in crash memory regions information - to the program header, so it counts those small memory regions that - reside in a page area. - - But, when the kernel was using walk_system_ram_range() in - fill_up_crash_elf_data() to count the number of crash memory regions, - it filters out small regions. - - I printed those small memory regions, for example: - - kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0 - - Based on the code in walk_system_ram_range(), this memory region - will be filtered out: - - pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593 - end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593 - end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE - - So, the max_nr_ranges that's counted by the kernel doesn't include - small memory regions - causing us to under-allocate the required space. - That causes the page fault crash that happens in a later code path - when preparing ELF headers. - - This bug is not easy to reproduce on small machines that have few - CPUs, because the allocated page aligned ELF buffer has more free - space to cover those small memory regions' PT_LOAD headers. - - Signed-off-by: Lee, Chun-Yi - Cc: Andy Lutomirski - Cc: Baoquan He - Cc: Jiang Liu - Cc: Linus Torvalds - Cc: Mike Galbraith - Cc: Peter Zijlstra - Cc: Stephen Rothwell - Cc: Takashi Iwai - Cc: Thomas Gleixner - Cc: Viresh Kumar - Cc: Vivek Goyal - Cc: kexec@lists.infradead.org - Cc: linux-kernel@vger.kernel.org - Cc: - Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com - Signed-off-by: Ingo Molnar - - arch/x86/kernel/crash.c | 7 +++---- - 1 files changed, 3 insertions(+), 4 deletions(-) + fs/proc/base.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) -commit bf91f1e0162bdd27ebd1411090a81fd9188daa4f -Author: Elad Raz -Date: Sat Aug 22 08:44:11 2015 +0300 +commit b28aca2b99ed08546778355fb9402c503ff9b29e +Author: Junichi Nomura +Date: Tue Dec 22 10:23:44 2015 -0700 - netfilter: ipset: Fixing unnamed union init + block: ensure to split after potentially bouncing a bio - In continue to proposed Vinson Lee's post [1], this patch fixes compilation - issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed - unions causes compilation error in gcc 4.4.x. + blk_queue_bio() does split then bounce, which makes the segment + counting based on pages before bouncing and could go wrong. Move + the split to after bouncing, like we do for blk-mq, and the we + fix the issue of having the bio count for segments be wrong. - References - - Visible links - [1] https://lkml.org/lkml/2015/7/5/74 - - Signed-off-by: Elad Raz - Signed-off-by: Pablo Neira Ayuso + Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios") + Cc: stable@vger.kernel.org + Tested-by: Artem S. Tashkinov + Signed-off-by: Jens Axboe - net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++-- - net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++-- - 2 files changed, 36 insertions(+), 4 deletions(-) + block/blk-core.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) -commit fed13a5012b8d7e87a6f9efa2e40e0be28eaecd9 +commit e62a25e917a9e5b35ddd5b4f1b5e5e30fbd2e84c +Merge: f6f63ae ec72fa5 Author: Brad Spengler -Date: Fri Oct 9 23:12:43 2015 -0400 - - compile fix +Date: Tue Dec 22 19:46:26 2015 -0500 - arch/x86/mm/pgtable.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -commit 58edc15a668a6dd90b3f66abc84b509f8fba7505 -Author: Daniel Borkmann -Date: Mon Aug 31 19:11:02 2015 +0200 - - netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths - - Commit 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack - templates") migrated templates to the new allocator api, but forgot to - update error paths for them in CT and synproxy to use nf_ct_tmpl_free() - instead of nf_conntrack_free(). - - Due to that, memory is being freed into the wrong kmemcache, but also - we drop the per net reference count of ct objects causing an imbalance. - - In Brad's case, this leads to a wrap-around of net->ct.count and thus - lets __nf_conntrack_alloc() refuse to create a new ct object: - - [ 10.340913] xt_addrtype: ipv6 does not support BROADCAST matching - [ 10.810168] nf_conntrack: table full, dropping packet - [ 11.917416] r8169 0000:07:00.0 eth0: link up - [ 11.917438] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready - [ 12.815902] nf_conntrack: table full, dropping packet - [ 15.688561] nf_conntrack: table full, dropping packet - [ 15.689365] nf_conntrack: table full, dropping packet - [ 15.690169] nf_conntrack: table full, dropping packet - [ 15.690967] nf_conntrack: table full, dropping packet - [...] - - With slab debugging, it also reports the wrong kmemcache (kmalloc-512 vs. - nf_conntrack_ffffffff81ce75c0) and reports poison overwrites, etc. Thus, - to fix the problem, export and use nf_ct_tmpl_free() instead. - - Fixes: 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates") - Reported-by: Brad Jackson - Signed-off-by: Daniel Borkmann - Signed-off-by: Pablo Neira Ayuso - - include/net/netfilter/nf_conntrack.h | 1 + - net/netfilter/nf_conntrack_core.c | 3 ++- - net/netfilter/nf_synproxy_core.c | 2 +- - net/netfilter/xt_CT.c | 2 +- - 4 files changed, 5 insertions(+), 3 deletions(-) + Merge branch 'pax-test' into grsec-test -commit 37d26e44573aaa9c3b1f0c36ec9d4bddc008fc03 +commit ec72fa5f8d9cb4e223bad1b8b5c2e1071c222f2a Author: Brad Spengler -Date: Fri Oct 9 18:22:54 2015 -0400 - - Fix BUG() in scatterwalk_map_and_copy caused by virt_to_page being - called on the KSTACKOVERFLOW's vmalloc'd stack. Thanks to - Yves-Alexis Perez for the report +Date: Tue Dec 22 19:45:51 2015 -0500 - crypto/scatterwalk.c | 10 ++++++++-- - 1 files changed, 8 insertions(+), 2 deletions(-) + Update to pax-linux-4.3.3-test13.patch: + - Emese fixed a (probably) false positive integer truncation in xfs_da_grow_inode_int, reported by jdkbx (http://forums.grsecurity.net/viewtopic.php?f=3&t=4346) + - fixed a size overflow in btrfs/try_merge_map, reported by Alex W (https://bugs.archlinux.org/task/47173) and mathias and dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4344) -commit 8137d53d2b60023587a48004f0b67946ed6db4a8 -Merge: 147420b a9c991f -Author: Brad Spengler -Date: Fri Oct 9 18:20:32 2015 -0400 - - Merge branch 'pax-test' into grsec-test + arch/arm/mm/fault.c | 2 +- + arch/x86/mm/fault.c | 2 +- + fs/btrfs/extent_map.c | 8 ++++++-- + fs/xfs/libxfs/xfs_da_btree.c | 4 +++- + 4 files changed, 11 insertions(+), 5 deletions(-) -commit a9c991f727bb8daf15838296e301683791c17071 +commit f6f63ae154cd45028add1dc41957878060d77fbf Author: Brad Spengler -Date: Fri Oct 9 18:20:07 2015 -0400 - - Update to pax-linux-4.2.3-test8.patch: - - fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) +Date: Thu Dec 17 18:43:44 2015 -0500 + + ptrace_has_cap() checks whether the current process should be + treated as having a certain capability for ptrace checks + against another process. Until now, this was equivalent to + has_ns_capability(current, target_ns, CAP_SYS_PTRACE). + + However, if a root-owned process wants to enter a user + namespace for some reason without knowing who owns it and + therefore can't change to the namespace owner's uid and gid + before entering, as soon as it has entered the namespace, + the namespace owner can attach to it via ptrace and thereby + gain access to its uid and gid. + + While it is possible for the entering process to switch to + the uid of a claimed namespace owner before entering, + causing the attempt to enter to fail if the claimed uid is + wrong, this doesn't solve the problem of determining an + appropriate gid. + + With this change, the entering process can first enter the + namespace and then safely inspect the namespace's + properties, e.g. through /proc/self/{uid_map,gid_map}, + assuming that the namespace owner doesn't have access to + uid 0. + Signed-off-by: Jann Horn - arch/x86/kernel/espfix_64.c | 4 +--- - arch/x86/kernel/kvmclock.c | 20 ++++++-------------- - arch/x86/mm/highmem_32.c | 2 ++ - arch/x86/mm/pgtable.c | 33 +++++++++++++++++++++++++++++++++ - 4 files changed, 42 insertions(+), 17 deletions(-) + kernel/ptrace.c | 30 +++++++++++++++++++++++++----- + 1 files changed, 25 insertions(+), 5 deletions(-) -commit 147420b0f00c7f20f354e1dfa460b904a3af432b -Author: Brad Spengler -Date: Fri Oct 9 08:54:24 2015 -0400 +commit e314f0fb63020f61543b401ff594e953c2c304e5 +Author: tadeusz.struk@intel.com +Date: Tue Dec 15 10:46:17 2015 -0800 - Properly fix the bug reported at: - https://code.google.com/p/android/issues/detail?id=187973 + net: fix uninitialized variable issue + + msg_iocb needs to be initialized on the recv/recvfrom path. + Otherwise afalg will wrongly interpret it as an async call. + + Cc: stable@vger.kernel.org + Reported-by: Harald Freudenberger + Signed-off-by: Tadeusz Struk + Signed-off-by: David S. Miller - drivers/net/slip/slhc.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) + net/socket.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) -commit 4918a68ea80e1185ec8f3a94d3a2210552ed0bb5 -Merge: 4e736d9 7e02f35 +commit a3f56a43ad56b8fcaf04f6327636ed2f5970de3b +Merge: dfa764c 142edcf Author: Brad Spengler -Date: Wed Oct 7 20:57:21 2015 -0400 +Date: Wed Dec 16 21:01:17 2015 -0500 Merge branch 'pax-test' into grsec-test - - Conflicts: - arch/x86/kernel/espfix_64.c -commit 7e02f35880fd6bdb2f4e7ba07a13d6df1d121008 +commit 142edcf1005a57fb8887823565cf0bafad2f313c Author: Brad Spengler -Date: Wed Oct 7 20:54:36 2015 -0400 - - Update to pax-linux-4.2.3-test7.patch: - - backported vanilla commits b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 and 176fc2d5770a0990eebff903ba680d2edd32e718 - - constified a few more page tables for ESPFIX/amd64 - - fixed xen and the recently added level1_modules_pgt page tables on amd64 +Date: Wed Dec 16 21:00:57 2015 -0500 - arch/x86/include/asm/pgtable_64.h | 1 + - arch/x86/kernel/espfix_64.c | 35 +++++++++++++++++++++++---------- - arch/x86/xen/mmu.c | 4 +++ - drivers/base/regmap/regmap-debugfs.c | 14 +++++------- - 4 files changed, 35 insertions(+), 19 deletions(-) + Update to pax-linux-4.3.3-test12.patch: + - Emese fixed a size overflow false positive in reiserfs/leaf_paste_entries, reported by Christian Apeltauer (https://bugs.gentoo.org/show_bug.cgi?id=568046) + - fixed a bunch of int/size_t mismatches in the drivers/tty/n_tty.c code causing size overflow false positives, reported by Toralf Förster, mathias (https://forums.grsecurity.net/viewtopic.php?f=3&t=4342), N8Fear (https://forums.grsecurity.net/viewtopic.php?f=3&t=4341) -commit 4e736d9e568f6cc0d08dfe7519abf9a5d58a5418 -Author: Robin Murphy -Date: Thu Oct 1 15:37:19 2015 -0700 - - dmapool: fix overflow condition in pool_find_page() - - If a DMA pool lies at the very top of the dma_addr_t range (as may - happen with an IOMMU involved), the calculated end address of the pool - wraps around to zero, and page lookup always fails. - - Tweak the relevant calculation to be overflow-proof. - - Signed-off-by: Robin Murphy - Cc: Arnd Bergmann - Cc: Marek Szyprowski - Cc: Sumit Semwal - Cc: Sakari Ailus - Cc: Russell King - Signed-off-by: Andrew Morton - Signed-off-by: Linus Torvalds - - mm/dmapool.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + drivers/tty/n_tty.c | 16 ++++++++-------- + .../disable_size_overflow_hash.data | 2 ++ + .../size_overflow_plugin/size_overflow_hash.data | 6 ++---- + 3 files changed, 12 insertions(+), 12 deletions(-) -commit 96a101a9b4208a6e5f2a0db7599881142e70ba43 -Author: Greg Thelen -Date: Thu Oct 1 15:37:05 2015 -0700 +commit dfa764cc549892a5bfc1083cac78b99032cae577 +Author: Hannes Frederic Sowa +Date: Tue Dec 15 22:59:12 2015 +0100 - memcg: make mem_cgroup_read_stat() unsigned - - mem_cgroup_read_stat() returns a page count by summing per cpu page - counters. The summing is racy wrt. updates, so a transient negative - sum is possible. Callers don't want negative values: + ipv6: automatically enable stable privacy mode if stable_secret set - - mem_cgroup_wb_stats() doesn't want negative nr_dirty or nr_writeback. - This could confuse dirty throttling. + Bjørn reported that while we switch all interfaces to privacy stable mode + when setting the secret, we don't set this mode for new interfaces. This + does not make sense, so change this behaviour. - - oom reports and memory.stat shouldn't show confusing negative usage. - - - tree_usage() already avoids negatives. - - Avoid returning negative page counts from mem_cgroup_read_stat() and - convert it to unsigned. - - [akpm@linux-foundation.org: fix old typo while we're in there] - Signed-off-by: Greg Thelen - Cc: Johannes Weiner - Acked-by: Michal Hocko - Cc: [4.2+] - Signed-off-by: Andrew Morton - Signed-off-by: Linus Torvalds - - mm/memcontrol.c | 30 ++++++++++++++++++------------ - 1 files changed, 18 insertions(+), 12 deletions(-) - -commit b7808c46650d5f4c09f071566de991af36eb9d37 -Author: Daniel Borkmann -Date: Fri Oct 2 12:06:03 2015 +0200 - - bpf: fix panic in SO_GET_FILTER with native ebpf programs - - When sockets have a native eBPF program attached through - setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to - dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...), - the following panic appears: - - [49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null) - [49904.178762] IP: [] sk_get_filter+0x39/0x90 - [49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0 - [49904.185196] Oops: 0000 [#1] SMP - [...] - [49904.224677] Call Trace: - [49904.226090] [] sock_getsockopt+0x319/0x740 - [49904.227535] [] ? sock_has_perm+0x63/0x70 - [49904.228953] [] ? release_sock+0x108/0x150 - [49904.230380] [] ? selinux_socket_getsockopt+0x23/0x30 - [49904.231788] [] SyS_getsockopt+0xa6/0xc0 - [49904.233267] [] entry_SYSCALL_64_fastpath+0x12/0x71 - - The underlying issue is the very same as in commit b382c0865600 - ("sock, diag: fix panic in sock_diag_put_filterinfo"), that is, - native eBPF programs don't store an original program since this - is only needed in cBPF ones. - - However, sk_get_filter() wasn't updated to test for this at the - time when eBPF could be attached. Just throw an error to the user - to indicate that eBPF cannot be dumped over this interface. - That way, it can also be known that a program _is_ attached (as - opposed to just return 0), and a different (future) method needs - to be consulted for a dump. - - Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets") - Signed-off-by: Daniel Borkmann - Acked-by: Alexei Starovoitov + Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf") + Reported-by: Bjørn Mork + Cc: Bjørn Mork + Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller - net/core/filter.c | 6 +++++- - 1 files changed, 5 insertions(+), 1 deletions(-) + net/ipv6/addrconf.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) -commit 40853c884afb5fc2dcb9f7fc34ef446162566fcc -Author: Steve French -Date: Mon Sep 28 17:21:07 2015 -0500 +commit c2815a1fee03f222273e77c14e43f960da06f35a +Author: Brad Spengler +Date: Wed Dec 16 13:03:38 2015 -0500 - [SMB3] Do not fall back to SMBWriteX in set_file_size error cases - - The error paths in set_file_size for cifs and smb3 are incorrect. - - In the unlikely event that a server did not support set file info - of the file size, the code incorrectly falls back to trying SMBWriteX - (note that only the original core SMB Write, used for example by DOS, - can set the file size this way - this actually does not work for the more - recent SMBWriteX). The idea was since the old DOS SMB Write could set - the file size if you write zero bytes at that offset then use that if - server rejects the normal set file info call. - - Fortunately the SMBWriteX will never be sent on the wire (except when - file size is zero) since the length and offset fields were reversed - in the two places in this function that call SMBWriteX causing - the fall back path to return an error. It is also important to never call - an SMB request from an SMB2/sMB3 session (which theoretically would - be possible, and can cause a brief session drop, although the client - recovers) so this should be fixed. In practice this path does not happen - with modern servers but the error fall back to SMBWriteX is clearly wrong. - - Removing the calls to SMBWriteX in the error paths in cifs_set_file_size - - Pointed out by PaX/grsecurity team - - Signed-off-by: Steve French - Reported-by: PaX Team - CC: Emese Revfy - CC: Brad Spengler - CC: Stable + Work around upstream limitation on the number of thread info flags causing a compilation error + Reported by fabled at http://forums.grsecurity.net/viewtopic.php?f=3&t=4339 - fs/cifs/inode.c | 34 ---------------------------------- - 1 files changed, 0 insertions(+), 34 deletions(-) + arch/arm/kernel/entry-common.S | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) -commit f5fad97c967a08f4a89513969598b1d3c8232a38 +commit 8c9ae168e09ae49324d709d76d73d9fc4ca477e1 Author: Brad Spengler -Date: Wed Oct 7 18:22:40 2015 -0400 +Date: Tue Dec 15 19:03:41 2015 -0500 - Initial import of grsecurity for Linux 4.2.3 - Note that size_overflow is currently marked BROKEN + Initial import of grsecurity 3.1 for Linux 4.3.3 Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 7 + @@ -1658,8 +1605,10 @@ Date: Wed Oct 7 18:22:40 2015 -0400 Makefile | 18 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- + arch/arc/Kconfig | 1 + arch/arm/Kconfig | 1 + - arch/arm/include/asm/thread_info.h | 9 +- + arch/arm/Kconfig.debug | 1 + + arch/arm/include/asm/thread_info.h | 7 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- @@ -1667,7 +1616,9 @@ Date: Wed Oct 7 18:22:40 2015 -0400 arch/arm/mm/fault.c | 40 +- arch/arm/mm/mmap.c | 8 +- arch/arm/net/bpf_jit_32.c | 51 +- + arch/arm64/Kconfig.debug | 1 + arch/avr32/include/asm/cache.h | 4 +- + arch/blackfin/Kconfig.debug | 1 + arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- @@ -1694,7 +1645,7 @@ Date: Wed Oct 7 18:22:40 2015 -0400 arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 4 + arch/powerpc/Kconfig | 1 + - arch/powerpc/include/asm/cache.h | 3 +- + arch/powerpc/include/asm/cache.h | 4 +- arch/powerpc/include/asm/thread_info.h | 5 +- arch/powerpc/kernel/Makefile | 2 + arch/powerpc/kernel/irq.c | 3 + @@ -1702,6 +1653,7 @@ Date: Wed Oct 7 18:22:40 2015 -0400 arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 2 +- + arch/s390/Kconfig.debug | 1 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- @@ -1725,32 +1677,35 @@ Date: Wed Oct 7 18:22:40 2015 -0400 arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 21 + + arch/x86/Kconfig.debug | 2 + + arch/x86/entry/common.c | 14 + arch/x86/entry/entry_32.S | 2 +- arch/x86/entry/entry_64.S | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/floppy.h | 20 +- + arch/x86/include/asm/fpu/types.h | 69 +- arch/x86/include/asm/io.h | 2 +- arch/x86/include/asm/page.h | 12 +- arch/x86/include/asm/paravirt_types.h | 23 +- - arch/x86/include/asm/processor.h | 2 +- - arch/x86/include/asm/thread_info.h | 8 +- + arch/x86/include/asm/processor.h | 12 +- + arch/x86/include/asm/thread_info.h | 6 +- + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/kernel/dumpstack.c | 10 +- arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- - arch/x86/kernel/espfix_64.c | 2 +- - arch/x86/kernel/fpu/init.c | 4 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/irq_32.c | 3 + arch/x86/kernel/irq_64.c | 4 + arch/x86/kernel/ldt.c | 18 + arch/x86/kernel/msr.c | 10 + - arch/x86/kernel/ptrace.c | 28 + + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/traps.c | 5 + arch/x86/kernel/verify_cpu.S | 1 + - arch/x86/kernel/vm86_32.c | 16 + + arch/x86/kernel/vm86_32.c | 15 + + arch/x86/kvm/svm.c | 14 +- arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- @@ -1760,6 +1715,9 @@ Date: Wed Oct 7 18:22:40 2015 -0400 arch/x86/xen/Kconfig | 1 + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- + crypto/ablkcipher.c | 2 +- + crypto/blkcipher.c | 2 +- + crypto/scatterwalk.c | 10 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/acpi/custom_method.c | 4 + drivers/block/cciss.h | 30 +- @@ -1767,29 +1725,37 @@ Date: Wed Oct 7 18:22:40 2015 -0400 drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + + drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 17 + drivers/char/random.c | 5 +- drivers/cpufreq/sparc-us3-cpufreq.c | 2 - + drivers/crypto/nx/nx-aes-ccm.c | 2 +- + drivers/crypto/nx/nx-aes-gcm.c | 2 +- + drivers/crypto/talitos.c | 2 +- drivers/firewire/ohci.c | 4 + - drivers/gpu/drm/drm_context.c | 50 +- - drivers/gpu/drm/drm_drv.c | 11 +- - drivers/gpu/drm/drm_lock.c | 18 +- - drivers/gpu/drm/i915/i915_dma.c | 2 + - drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +- - drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 70 +- + drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/hid/hid-wiimote-debug.c | 2 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- + drivers/iommu/Kconfig | 1 + drivers/iommu/amd_iommu.c | 14 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- + drivers/isdn/hisax/config.c | 2 +- + drivers/isdn/hisax/hfc_pci.c | 2 +- + drivers/isdn/hisax/hfc_sx.c | 2 +- + drivers/isdn/hisax/q931.c | 6 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- + drivers/md/bcache/Kconfig | 1 + drivers/md/raid5.c | 8 + drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +- + drivers/media/platform/sti/c8sectpfe/Kconfig | 1 + + drivers/media/platform/vivid/vivid-osd.c | 1 + drivers/media/radio/radio-cadet.c | 5 +- drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +- drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +- @@ -1798,9 +1764,15 @@ Date: Wed Oct 7 18:22:40 2015 -0400 drivers/message/fusion/mptbase.c | 9 + drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- + drivers/net/ppp/pppoe.c | 14 +- + drivers/net/ppp/pptp.c | 6 + + drivers/net/slip/slhc.c | 3 + drivers/net/wan/lmc/lmc_media.c | 97 +- + drivers/net/wan/x25_asy.c | 6 +- drivers/net/wan/z85230.c | 24 +- + drivers/net/wireless/ath/ath9k/Kconfig | 1 - drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + drivers/pci/pci-sysfs.c | 2 +- drivers/pci/proc.c | 9 + drivers/platform/x86/asus-wmi.c | 12 + drivers/rtc/rtc-dev.c | 3 + @@ -1808,9 +1780,11 @@ Date: Wed Oct 7 18:22:40 2015 -0400 drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 40 +- + drivers/staging/dgnc/dgnc_mgmt.c | 1 + drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- - drivers/staging/sm750fb/sm750.c | 3 + + drivers/target/target_core_sbc.c | 17 +- + drivers/target/target_core_transport.c | 14 +- drivers/tty/serial/uartlite.c | 4 +- drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- @@ -1830,19 +1804,18 @@ Date: Wed Oct 7 18:22:40 2015 -0400 firmware/WHENCE | 20 +- firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++ firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++ + fs/9p/vfs_inode.c | 4 +- fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + - fs/binfmt_elf.c | 40 +- + fs/binfmt_elf.c | 50 +- fs/compat.c | 20 +- fs/coredump.c | 17 +- fs/dcache.c | 3 + fs/debugfs/inode.c | 11 +- - fs/exec.c | 218 +- + fs/exec.c | 219 +- fs/ext2/balloc.c | 4 +- fs/ext2/super.c | 8 +- - fs/ext3/balloc.c | 4 +- - fs/ext3/super.c | 8 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 4 + fs/fhandle.c | 3 +- @@ -1853,17 +1826,17 @@ Date: Wed Oct 7 18:22:40 2015 -0400 fs/inode.c | 8 +- fs/kernfs/dir.c | 6 + fs/mount.h | 4 +- - fs/namei.c | 285 +- + fs/namei.c | 286 +- fs/namespace.c | 24 + fs/nfsd/nfscache.c | 2 +- fs/open.c | 38 + - fs/overlayfs/inode.c | 3 + + fs/overlayfs/inode.c | 11 +- fs/overlayfs/super.c | 6 +- fs/pipe.c | 2 +- fs/posix_acl.c | 15 +- fs/proc/Kconfig | 10 +- - fs/proc/array.c | 66 +- - fs/proc/base.c | 168 +- + fs/proc/array.c | 69 +- + fs/proc/base.c | 186 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- @@ -1872,6 +1845,8 @@ Date: Wed Oct 7 18:22:40 2015 -0400 fs/proc/internal.h | 11 +- fs/proc/interrupts.c | 4 + fs/proc/kcore.c | 3 + + fs/proc/meminfo.c | 7 +- + fs/proc/namespaces.c | 4 +- fs/proc/proc_net.c | 31 + fs/proc/proc_sysctl.c | 52 +- fs/proc/root.c | 8 + @@ -1882,8 +1857,10 @@ Date: Wed Oct 7 18:22:40 2015 -0400 fs/reiserfs/super.c | 4 + fs/select.c | 2 + fs/seq_file.c | 30 +- + fs/splice.c | 8 + fs/stat.c | 20 +- fs/sysfs/dir.c | 30 +- + fs/sysv/inode.c | 11 +- fs/utimes.c | 7 + fs/xattr.c | 26 +- grsecurity/Kconfig | 1182 ++++ @@ -1921,8 +1898,8 @@ Date: Wed Oct 7 18:22:40 2015 -0400 grsecurity/grsec_tpe.c | 78 + grsecurity/grsec_usb.c | 15 + grsecurity/grsum.c | 64 + - include/drm/drmP.h | 23 +- include/linux/binfmts.h | 5 +- + include/linux/bitops.h | 2 +- include/linux/capability.h | 13 + include/linux/compiler-gcc.h | 5 + include/linux/compiler.h | 8 + @@ -1937,7 +1914,7 @@ Date: Wed Oct 7 18:22:40 2015 -0400 include/linux/grdefs.h | 140 + include/linux/grinternal.h | 230 + include/linux/grmsg.h | 118 + - include/linux/grsecurity.h | 249 + + include/linux/grsecurity.h | 255 + include/linux/grsock.h | 19 + include/linux/ipc.h | 2 +- include/linux/ipc_namespace.h | 2 +- @@ -1949,6 +1926,7 @@ Date: Wed Oct 7 18:22:40 2015 -0400 include/linux/mm_types.h | 4 +- include/linux/module.h | 5 +- include/linux/mount.h | 2 +- + include/linux/msg.h | 2 +- include/linux/netfilter/xt_gradm.h | 9 + include/linux/path.h | 4 +- include/linux/perf_event.h | 13 +- @@ -1956,11 +1934,13 @@ Date: Wed Oct 7 18:22:40 2015 -0400 include/linux/printk.h | 2 +- include/linux/proc_fs.h | 22 +- include/linux/proc_ns.h | 2 +- + include/linux/ptrace.h | 24 +- include/linux/random.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/scatterlist.h | 12 +- - include/linux/sched.h | 110 +- - include/linux/security.h | 3 +- + include/linux/sched.h | 114 +- + include/linux/security.h | 1 + + include/linux/sem.h | 2 +- include/linux/seq_file.h | 5 + include/linux/shm.h | 6 +- include/linux/skbuff.h | 3 + @@ -1973,21 +1953,23 @@ Date: Wed Oct 7 18:22:40 2015 -0400 include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/linux/vermagic.h | 16 +- - include/linux/vmalloc.h | 8 + + include/linux/vmalloc.h | 20 +- include/net/af_unix.h | 2 +- + include/net/dst.h | 33 + include/net/ip.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- - include/net/sock.h | 2 +- + include/net/sock.h | 4 +- + include/target/target_core_base.h | 2 +- include/trace/events/fs.h | 53 + - include/uapi/drm/i915_drm.h | 1 + include/uapi/linux/personality.h | 1 + - init/Kconfig | 3 +- + init/Kconfig | 4 +- init/main.c | 35 +- ipc/mqueue.c | 1 + - ipc/msg.c | 14 +- - ipc/shm.c | 36 +- - ipc/util.c | 14 +- + ipc/msg.c | 3 +- + ipc/sem.c | 3 +- + ipc/shm.c | 26 +- + ipc/util.c | 6 + kernel/auditsc.c | 2 +- kernel/bpf/syscall.c | 8 +- kernel/capability.c | 41 +- @@ -1995,47 +1977,49 @@ Date: Wed Oct 7 18:22:40 2015 -0400 kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 112 +- - kernel/events/core.c | 14 +- + kernel/events/core.c | 16 +- kernel/exit.c | 10 +- kernel/fork.c | 86 +- - kernel/futex.c | 4 +- + kernel/futex.c | 6 +- + kernel/futex_compat.c | 2 +- kernel/kallsyms.c | 9 + - kernel/kcmp.c | 4 + - kernel/kexec.c | 2 +- + kernel/kcmp.c | 8 +- + kernel/kexec_core.c | 2 +- kernel/kmod.c | 95 +- kernel/kprobes.c | 7 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 108 +- kernel/panic.c | 4 +- - kernel/pid.c | 19 +- + kernel/pid.c | 23 +- kernel/power/Kconfig | 2 + - kernel/printk/printk.c | 7 +- - kernel/ptrace.c | 20 +- + kernel/printk/printk.c | 20 +- + kernel/ptrace.c | 56 +- kernel/resource.c | 10 + kernel/sched/core.c | 11 +- kernel/signal.c | 37 +- kernel/sys.c | 64 +- - kernel/sysctl.c | 180 +- + kernel/sysctl.c | 172 +- kernel/taskstats.c | 6 + kernel/time/posix-timers.c | 8 + kernel/time/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 13 +- kernel/time/timer_stats.c | 10 +- + kernel/trace/Kconfig | 2 + kernel/trace/trace_syscalls.c | 8 + kernel/user_namespace.c | 15 + - lib/Kconfig.debug | 7 +- + lib/Kconfig.debug | 13 +- + lib/Kconfig.kasan | 2 +- lib/is_single_threaded.c | 3 + lib/list_debug.c | 65 +- lib/nlattr.c | 2 + lib/rbtree.c | 4 +- lib/vsprintf.c | 39 +- localversion-grsec | 1 + - mm/Kconfig | 5 +- + mm/Kconfig | 8 +- mm/Kconfig.debug | 1 + mm/filemap.c | 1 + - mm/hugetlb.c | 8 + mm/kmemleak.c | 4 +- mm/memory.c | 2 +- mm/mempolicy.c | 12 +- @@ -2043,19 +2027,21 @@ Date: Wed Oct 7 18:22:40 2015 -0400 mm/mlock.c | 6 +- mm/mmap.c | 93 +- mm/mprotect.c | 8 + + mm/oom_kill.c | 28 +- mm/page_alloc.c | 2 +- - mm/process_vm_access.c | 6 + - mm/shmem.c | 2 +- - mm/slab.c | 27 +- + mm/process_vm_access.c | 8 +- + mm/shmem.c | 36 +- + mm/slab.c | 14 +- mm/slab_common.c | 2 +- mm/slob.c | 12 + mm/slub.c | 33 +- mm/util.c | 3 + - mm/vmalloc.c | 80 +- + mm/vmalloc.c | 129 +- mm/vmstat.c | 29 +- net/appletalk/atalk_proc.c | 2 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- + net/bluetooth/sco.c | 3 + net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/dev_ioctl.c | 7 +- @@ -2066,19 +2052,20 @@ Date: Wed Oct 7 18:22:40 2015 -0400 net/core/sysctl_net_core.c | 2 +- net/decnet/dn_dev.c | 2 +- net/ipv4/devinet.c | 6 +- - net/ipv4/inet_hashtables.c | 5 + + net/ipv4/inet_hashtables.c | 4 + net/ipv4/ip_input.c | 7 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- + net/ipv4/netfilter/nf_nat_pptp.c | 2 +- net/ipv4/route.c | 6 +- net/ipv4/tcp_input.c | 4 +- - net/ipv4/tcp_ipv4.c | 24 +- + net/ipv4/tcp_ipv4.c | 29 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/addrconf.c | 13 +- net/ipv6/proc.c | 2 +- - net/ipv6/tcp_ipv6.c | 23 +- + net/ipv6/tcp_ipv6.c | 26 +- net/ipv6/udp.c | 7 + net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- @@ -2089,7 +2076,10 @@ Date: Wed Oct 7 18:22:40 2015 -0400 net/netfilter/xt_gradm.c | 51 + net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- - net/socket.c | 71 +- + net/sched/sch_api.c | 2 +- + net/sctp/socket.c | 4 +- + net/socket.c | 75 +- + net/sunrpc/Kconfig | 1 + net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/sysctl_net.c | 2 +- @@ -2099,16 +2089,18 @@ Date: Wed Oct 7 18:22:40 2015 -0400 net/x25/sysctl_net_x25.c | 2 +- net/x25/x25_proc.c | 2 +- scripts/package/Makefile | 2 +- - scripts/package/mkspec | 38 +- - security/Kconfig | 370 +- + scripts/package/mkspec | 41 +- + security/Kconfig | 369 +- security/apparmor/file.c | 4 +- security/apparmor/lsm.c | 8 +- - security/commoncap.c | 29 + + security/commoncap.c | 36 +- security/min_addr.c | 2 + + security/smack/smack_lsm.c | 8 +- security/tomoyo/file.c | 12 +- security/tomoyo/mount.c | 4 + security/tomoyo/tomoyo.c | 20 +- security/yama/Kconfig | 2 +- + security/yama/yama_lsm.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- sound/usb/line6/driver.c | 40 +- sound/usb/line6/toneport.c | 12 +- @@ -2117,124 +2109,176 @@ Date: Wed Oct 7 18:22:40 2015 -0400 tools/gcc/gen-random-seed.sh | 8 + tools/gcc/randomize_layout_plugin.c | 930 +++ tools/gcc/size_overflow_plugin/.gitignore | 1 + - .../size_overflow_plugin/size_overflow_hash.data | 320 +- - 466 files changed, 32295 insertions(+), 2907 deletions(-) + .../size_overflow_plugin/size_overflow_hash.data | 459 ++- + 511 files changed, 32631 insertions(+), 3196 deletions(-) -commit fc19197ab5a42069863a7d88f1d41eb687697fe9 +commit a76adb92ce39aee8eec5a025c828030ad6135c6d Author: Brad Spengler -Date: Sun Oct 4 20:43:51 2015 -0400 +Date: Tue Dec 15 14:31:49 2015 -0500 - Update to pax-linux-4.2.3-test6.patch: - - fixed a KERNEXEC/x86 and early ioremap regression, reported by spender - - sanitized a few more top level page table entries on amd64 + Update to pax-linux-4.3.3-test11.patch: + - fixed a few compile regressions with the recent plugin changes, reported by spender + - updated the size overflow hash table - arch/x86/kernel/espfix_64.c | 2 +- - arch/x86/kernel/head_64.S | 8 ++++---- - arch/x86/mm/ioremap.c | 6 +++++- - 3 files changed, 10 insertions(+), 6 deletions(-) + tools/gcc/latent_entropy_plugin.c | 2 +- + .../size_overflow_plugin/size_overflow_hash.data | 66 +++++++++++++++++--- + tools/gcc/stackleak_plugin.c | 2 +- + tools/gcc/structleak_plugin.c | 6 +-- + 4 files changed, 60 insertions(+), 16 deletions(-) -commit 23ac5415b9ef394e10b1516d3b314c742c6a3e59 -Author: Brad Spengler -Date: Sun Oct 4 17:47:37 2015 -0400 - - Resync with pax-linux-4.2.3-test5.patch - - arch/x86/include/asm/pgtable-2level.h | 20 ++++++++++++++++---- - arch/x86/include/asm/pgtable-3level.h | 8 ++++++++ - arch/x86/include/asm/pgtable_32.h | 2 -- - arch/x86/include/asm/pgtable_64.h | 20 ++++++++++++++++---- - arch/x86/mm/highmem_32.c | 2 -- - arch/x86/mm/init_64.c | 2 -- - arch/x86/mm/iomap_32.c | 4 ---- - arch/x86/mm/ioremap.c | 2 +- - arch/x86/mm/pgtable.c | 2 -- - arch/x86/mm/pgtable_32.c | 3 --- - mm/highmem.c | 6 +----- - mm/vmalloc.c | 12 +----------- - .../size_overflow_plugin/size_overflow_hash.data | 2 -- - 13 files changed, 43 insertions(+), 42 deletions(-) - -commit 25f4bed80f0d87783793a70d6c20080031a1fd38 -Author: Brad Spengler -Date: Sun Oct 4 13:06:32 2015 -0400 - - Update to pax-linux-4.2.3-test5.patch: - - forward port to 4.2.3 - - fixed integer sign conversion errors caused by ieee80211_tx_rate_control.max_rate_idx, caught by the size overflow plugin - - fixed a bug in try_preserve_large_page that caused unnecessary large page split ups - - increased the number of statically allocated kernel page tables under KERNEXEC/amd64 - - arch/x86/include/asm/pgtable-2level.h | 2 ++ - arch/x86/include/asm/pgtable-3level.h | 5 +++++ - arch/x86/include/asm/pgtable_64.h | 2 ++ - arch/x86/kernel/cpu/bugs_64.c | 2 ++ - arch/x86/kernel/head_64.S | 28 +++++++++++++++++++++++----- - arch/x86/kernel/vmlinux.lds.S | 8 +++++++- - arch/x86/mm/init.c | 18 ++++++++++++++---- - arch/x86/mm/ioremap.c | 8 ++++++-- - arch/x86/mm/pageattr.c | 5 ++--- - arch/x86/mm/pgtable.c | 2 ++ - include/asm-generic/sections.h | 1 + - include/asm-generic/vmlinux.lds.h | 2 ++ - include/net/mac80211.h | 2 +- - mm/vmalloc.c | 7 ++++++- - 14 files changed, 75 insertions(+), 17 deletions(-) - -commit a2dce7cb2e3c389b7ef6c76c15ccdbf506007ddd -Merge: d113ff6 fcba09f +commit f7284b1fc06628fcb2d35d2beecdea5454d46af9 Author: Brad Spengler -Date: Sat Oct 3 09:12:31 2015 -0400 +Date: Tue Dec 15 11:50:24 2015 -0500 - Merge branch 'linux-4.2.y' into pax-test + Apply structleak ICE fix for gcc < 4.9 -commit d113ff6e7835e89e2b954503b1a100750ddb43c7 + tools/gcc/structleak_plugin.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +commit 92fe3eb9fd10ec7f7334decab1526989669b0287 Author: Brad Spengler -Date: Thu Oct 1 21:34:12 2015 -0400 - - Update to pax-linux-4.2.2-test5.patch: - - fixed a RANDKSTACK regression, reported by spender - - fixed some more compiler warnings due to the ktla_ktva changes, reported by spender - - arch/x86/entry/entry_64.S | 2 ++ - arch/x86/kernel/process.c | 1 + - drivers/hv/hv.c | 2 +- - drivers/lguest/x86/core.c | 4 ++-- - drivers/misc/kgdbts.c | 4 ++-- - drivers/video/fbdev/uvesafb.c | 4 ++-- - fs/binfmt_elf_fdpic.c | 2 +- - 7 files changed, 11 insertions(+), 8 deletions(-) - -commit 149e32a4dddfae46e2490f011870cd4492ca946c +Date: Tue Dec 15 07:57:06 2015 -0500 + + Update to pax-linux-4.3.1-test10.patch: + - Emese fixed INDIRECT_REF and TARGET_MEM_REF handling in the initify plugin + - Emese regenerated the size overflow hash tables for 4.3 + - fixed some compat syscall exit paths to restore r12 under KERNEXEC/or + - the latent entropy, stackleak and structleak plugins no longer split the entry block unnecessarily + + arch/x86/entry/entry_64.S | 2 +- + arch/x86/entry/entry_64_compat.S | 15 +- + scripts/package/builddeb | 2 +- + tools/gcc/initify_plugin.c | 11 +- + tools/gcc/latent_entropy_plugin.c | 20 +- + .../disable_size_overflow_hash.data | 4 + + .../size_overflow_plugin/size_overflow_hash.data | 5345 +++++++++++--------- + tools/gcc/stackleak_plugin.c | 26 +- + tools/gcc/structleak_plugin.c | 21 +- + 9 files changed, 3079 insertions(+), 2367 deletions(-) + +commit 5bd245cb687319079c2f1c0d6a1170791ed1ed2c +Merge: b5847e6 3548341 Author: Brad Spengler -Date: Tue Sep 29 16:31:50 2015 -0400 +Date: Tue Dec 15 07:47:56 2015 -0500 - Update to pax-linux-4.2.2-test4.patch: - - fixed a few compiler warnings caused by the recently reworked ktla_ktva/ktva_ktla functions, reported by spender - - Emese fixed a size overflow false positive in the IDE driver, reported by spender + Merge branch 'linux-4.3.y' into pax-4_3 + + Conflicts: + net/unix/af_unix.c - arch/x86/lib/insn.c | 2 +- - drivers/ide/ide-disk.c | 2 +- - drivers/video/fbdev/vesafb.c | 4 ++-- - fs/binfmt_elf.c | 2 +- - .../size_overflow_plugin/size_overflow_plugin.c | 4 ++-- - .../size_overflow_transform_core.c | 11 +++++------ - 6 files changed, 12 insertions(+), 13 deletions(-) - -commit 02c41b848fbaddf82ce98690b23d3d85a94d55fe -Merge: b8b2f5b 7659db3 +commit b5847e6a896c5d99191135ca4d7c3b6be8f116ff Author: Brad Spengler -Date: Tue Sep 29 15:50:40 2015 -0400 +Date: Wed Dec 9 23:11:36 2015 -0500 + + Update to pax-linux-4.3.1-test9.patch: + - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332) + - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333) + - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334) + - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336) + - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes + - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause + - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856 + + Makefile | 6 + + arch/x86/include/asm/compat.h | 4 + + arch/x86/include/asm/dma.h | 2 + + arch/x86/include/asm/pmem.h | 2 +- + arch/x86/include/asm/uaccess.h | 20 +- + arch/x86/kernel/apic/vector.c | 6 +- + arch/x86/kernel/cpu/mtrr/generic.c | 6 +- + arch/x86/kernel/cpu/perf_event_intel.c | 28 +- + arch/x86/kernel/head_64.S | 1 - + arch/x86/kvm/i8259.c | 10 +- + arch/x86/kvm/ioapic.c | 2 + + arch/x86/kvm/x86.c | 2 + + arch/x86/lib/usercopy_64.c | 2 +- + arch/x86/mm/mpx.c | 4 +- + arch/x86/mm/pageattr.c | 7 + + drivers/base/devres.c | 4 +- + drivers/base/power/runtime.c | 6 +- + drivers/base/regmap/regmap.c | 4 +- + drivers/block/drbd/drbd_receiver.c | 4 +- + drivers/block/drbd/drbd_worker.c | 6 +- + drivers/char/virtio_console.c | 6 +- + drivers/md/dm.c | 12 +- + drivers/net/ethernet/nvidia/forcedeth.c | 4 +- + drivers/net/macvtap.c | 4 +- + drivers/video/fbdev/core/fbmem.c | 10 +- + fs/compat.c | 3 +- + fs/coredump.c | 2 +- + fs/dcache.c | 13 +- + fs/fhandle.c | 2 +- + fs/file.c | 14 +- + fs/fs-writeback.c | 11 +- + fs/overlayfs/copy_up.c | 2 +- + fs/readdir.c | 3 +- + fs/super.c | 3 +- + include/linux/compiler.h | 36 ++- + include/linux/rcupdate.h | 8 + + include/linux/sched.h | 4 +- + include/linux/seqlock.h | 10 + + include/linux/spinlock.h | 17 +- + include/linux/srcu.h | 5 +- + include/linux/syscalls.h | 2 +- + include/linux/writeback.h | 3 +- + include/uapi/linux/swab.h | 6 +- + ipc/ipc_sysctl.c | 6 + + kernel/exit.c | 25 +- + kernel/resource.c | 4 +- + kernel/signal.c | 12 +- + kernel/user.c | 2 +- + kernel/workqueue.c | 6 +- + lib/rhashtable.c | 4 +- + net/compat.c | 2 +- + net/ipv4/xfrm4_mode_transport.c | 2 +- + security/keys/internal.h | 8 +- + security/keys/keyring.c | 4 - + sound/core/seq/seq_clientmgr.c | 8 +- + sound/core/seq/seq_compat.c | 2 +- + sound/core/seq/seq_memory.c | 6 +- + tools/gcc/checker_plugin.c | 415 +++++++++++++++++++- + tools/gcc/gcc-common.h | 1 + + tools/gcc/initify_plugin.c | 33 ++- + .../disable_size_overflow_hash.data | 1 + + .../size_overflow_plugin/size_overflow_hash.data | 1 - + 62 files changed, 708 insertions(+), 140 deletions(-) + +commit f2634c2f6995f4231616f24ed016f890c701f939 +Merge: 1241bff 5f8b236 +Author: Brad Spengler +Date: Wed Dec 9 21:50:47 2015 -0500 - Merge branch 'linux-4.2.y' into pax-test + Merge branch 'linux-4.3.y' into pax-4_3 Conflicts: - fs/nfs/inode.c + arch/x86/kernel/fpu/xstate.c + arch/x86/kernel/head_64.S -commit b8b2f5bc93ced0ca9a8366d0f3fa09abd1ca7ac6 +commit 1241bff82e3d7dadb05de0a60b8d2822afc6547c Author: Brad Spengler -Date: Tue Sep 29 09:13:54 2015 -0400 +Date: Sun Dec 6 08:44:56 2015 -0500 + + Update to pax-linux-4.3-test8.patch: + - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328) + - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger + - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329) + - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331) + + Makefile | 5 +++ + drivers/md/md.c | 5 ++- + drivers/md/raid1.c | 2 +- + fs/proc/task_mmu.c | 3 ++ + .../disable_size_overflow_hash.data | 4 ++- + .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++--- + .../size_overflow_plugin/size_overflow_hash.data | 2 - + .../size_overflow_plugin/size_overflow_plugin.c | 2 +- + 8 files changed, 43 insertions(+), 12 deletions(-) - Initial import of pax-linux-4.2.1-test3.patch +commit cce6a9f9bdd27096632ca1c0246dcc07f2eb1a18 +Author: Brad Spengler +Date: Fri Dec 4 14:24:12 2015 -0500 + + Initial import of pax-linux-4.3-test7.patch Documentation/dontdiff | 47 +- Documentation/kbuild/makefiles.txt | 39 +- @@ -2248,14 +2292,13 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- - arch/arm/include/asm/atomic.h | 319 +- - arch/arm/include/asm/barrier.h | 2 +- + arch/arm/include/asm/atomic.h | 320 +- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 4 + arch/arm/include/asm/cpuidle.h | 2 +- - arch/arm/include/asm/domain.h | 33 +- + arch/arm/include/asm/domain.h | 22 +- arch/arm/include/asm/elf.h | 9 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + @@ -2269,38 +2312,31 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level.h | 3 + arch/arm/include/asm/pgtable.h | 54 +- - arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- - arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/tls.h | 3 + - arch/arm/include/asm/uaccess.h | 100 +- + arch/arm/include/asm/uaccess.h | 79 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- - arch/arm/kernel/armksyms.c | 8 +- + arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/cpuidle.c | 2 +- - arch/arm/kernel/entry-armv.S | 110 +- + arch/arm/kernel/entry-armv.S | 109 +- arch/arm/kernel/entry-common.S | 40 +- - arch/arm/kernel/entry-header.S | 60 + + arch/arm/kernel/entry-header.S | 55 + arch/arm/kernel/fiq.c | 3 + - arch/arm/kernel/head.S | 2 +- + arch/arm/kernel/module-plts.c | 7 +- arch/arm/kernel/module.c | 38 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 90 +- - arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/reboot.c | 1 + arch/arm/kernel/setup.c | 20 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/tcm.c | 4 +- - arch/arm/kernel/traps.c | 6 +- arch/arm/kernel/vmlinux.lds.S | 6 +- - arch/arm/kvm/arm.c | 10 +- - arch/arm/lib/clear_user.S | 6 +- - arch/arm/lib/copy_from_user.S | 6 +- + arch/arm/kvm/arm.c | 8 +- arch/arm/lib/copy_page.S | 1 + - arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- - arch/arm/lib/uaccess_with_memcpy.c | 8 +- + arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-exynos/suspend.c | 6 +- arch/arm/mach-mvebu/coherency.c | 4 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- @@ -2313,8 +2349,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-shmobile/platsmp-apmu.c | 5 +- - arch/arm/mach-shmobile/pm-r8a7740.c | 5 +- - arch/arm/mach-shmobile/pm-sh73a0.c | 5 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-tegra/irq.c | 1 + arch/arm/mach-ux500/pm.c | 1 + @@ -2328,12 +2362,11 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/arm/mm/init.c | 39 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- - arch/arm/mm/mmu.c | 182 +- + arch/arm/mm/mmu.c | 162 +- arch/arm/net/bpf_jit_32.c | 3 + arch/arm/plat-iop/setup.c | 2 +- arch/arm/plat-omap/sram.c | 2 + arch/arm64/include/asm/atomic.h | 10 + - arch/arm64/include/asm/barrier.h | 2 +- arch/arm64/include/asm/percpu.h | 8 +- arch/arm64/include/asm/pgalloc.h | 5 + arch/arm64/include/asm/uaccess.h | 1 + @@ -2346,7 +2379,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/Makefile | 1 + arch/ia64/include/asm/atomic.h | 10 + - arch/ia64/include/asm/barrier.h | 2 +- arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- @@ -2359,10 +2391,8 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 15 +- arch/m32r/lib/usercopy.c | 6 + - arch/metag/include/asm/barrier.h | 2 +- arch/mips/cavium-octeon/dma-octeon.c | 2 +- - arch/mips/include/asm/atomic.h | 355 +- - arch/mips/include/asm/barrier.h | 2 +- + arch/mips/include/asm/atomic.h | 368 +- arch/mips/include/asm/elf.h | 7 + arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- @@ -2373,14 +2403,12 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/mips/include/asm/uaccess.h | 1 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + - arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/pm-cps.c | 2 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- - arch/mips/kvm/mips.c | 2 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- @@ -2397,7 +2425,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 329 +- - arch/powerpc/include/asm/barrier.h | 2 +- arch/powerpc/include/asm/elf.h | 12 + arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- @@ -2421,14 +2448,12 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/traps.c | 21 + arch/powerpc/kernel/vdso.c | 5 +- - arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 56 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + - arch/s390/include/asm/barrier.h | 2 +- arch/s390/include/asm/elf.h | 7 + arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 13 +- @@ -2439,7 +2464,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 110 +- - arch/sparc/include/asm/barrier_64.h | 2 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + @@ -2518,25 +2542,26 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + - arch/x86/entry/calling.h | 92 +- - arch/x86/entry/entry_32.S | 360 +- - arch/x86/entry/entry_64.S | 636 +- + arch/x86/entry/calling.h | 86 +- + arch/x86/entry/common.c | 13 +- + arch/x86/entry/entry_32.S | 351 +- + arch/x86/entry/entry_64.S | 619 +- arch/x86/entry/entry_64_compat.S | 159 +- arch/x86/entry/thunk_64.S | 2 + arch/x86/entry/vdso/Makefile | 2 +- - arch/x86/entry/vdso/vdso2c.h | 4 +- + arch/x86/entry/vdso/vdso2c.h | 8 +- arch/x86/entry/vdso/vma.c | 41 +- arch/x86/entry/vsyscall/vsyscall_64.c | 16 +- + arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +- arch/x86/ia32/ia32_signal.c | 23 +- arch/x86/ia32/sys_ia32.c | 42 +- arch/x86/include/asm/alternative-asm.h | 43 +- arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- - arch/x86/include/asm/atomic.h | 269 +- + arch/x86/include/asm/atomic.h | 230 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 164 +- - arch/x86/include/asm/barrier.h | 4 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 2 +- arch/x86/include/asm/cache.h | 5 +- @@ -2549,8 +2574,8 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 33 +- arch/x86/include/asm/emergency-restart.h | 2 +- - arch/x86/include/asm/fpu/internal.h | 36 +- - arch/x86/include/asm/fpu/types.h | 5 +- + arch/x86/include/asm/fpu/internal.h | 42 +- + arch/x86/include/asm/fpu/types.h | 6 +- arch/x86/include/asm/futex.h | 14 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- @@ -2560,7 +2585,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 14 +- - arch/x86/include/asm/mmu_context.h | 138 +- + arch/x86/include/asm/mmu_context.h | 114 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 19 +- arch/x86/include/asm/page.h | 1 + @@ -2570,17 +2595,16 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + - arch/x86/include/asm/pgtable-3level.h | 4 + + arch/x86/include/asm/pgtable-3level.h | 7 + arch/x86/include/asm/pgtable.h | 128 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 24 +- - arch/x86/include/asm/pgtable_64.h | 22 +- + arch/x86/include/asm/pgtable_64.h | 23 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 26 +- arch/x86/include/asm/preempt.h | 2 +- - arch/x86/include/asm/processor.h | 59 +- - arch/x86/include/asm/ptrace.h | 21 +- - arch/x86/include/asm/qrwlock.h | 4 +- + arch/x86/include/asm/processor.h | 57 +- + arch/x86/include/asm/ptrace.h | 13 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- @@ -2607,14 +2631,14 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 124 +- arch/x86/kernel/apic/apic.c | 4 +- - arch/x86/kernel/apic/apic_flat_64.c | 4 +- + arch/x86/kernel/apic/apic_flat_64.c | 6 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/msi.c | 2 +- - arch/x86/kernel/apic/probe_32.c | 2 +- + arch/x86/kernel/apic/probe_32.c | 4 +- arch/x86/kernel/apic/vector.c | 4 +- - arch/x86/kernel/apic/x2apic_cluster.c | 4 +- + arch/x86/kernel/apic/x2apic_cluster.c | 2 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 21 +- @@ -2622,12 +2646,12 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- + arch/x86/kernel/cpu/bugs_64.c | 2 + arch/x86/kernel/cpu/common.c | 202 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +- - arch/x86/kernel/cpu/mcheck/mce.c | 31 +- + arch/x86/kernel/cpu/mcheck/mce.c | 34 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + - arch/x86/kernel/cpu/microcode/core.c | 2 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- @@ -2640,7 +2664,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- - arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 24 +- @@ -2648,16 +2671,16 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/dumpstack_64.c | 62 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + - arch/x86/kernel/espfix_64.c | 13 +- - arch/x86/kernel/fpu/core.c | 22 +- - arch/x86/kernel/fpu/init.c | 8 +- + arch/x86/kernel/espfix_64.c | 44 +- + arch/x86/kernel/fpu/core.c | 24 +- + arch/x86/kernel/fpu/init.c | 40 +- arch/x86/kernel/fpu/regset.c | 22 +- arch/x86/kernel/fpu/signal.c | 20 +- arch/x86/kernel/fpu/xstate.c | 8 +- arch/x86/kernel/ftrace.c | 18 +- arch/x86/kernel/head64.c | 14 +- arch/x86/kernel/head_32.S | 235 +- - arch/x86/kernel/head_64.S | 149 +- + arch/x86/kernel/head_64.S | 173 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- @@ -2669,6 +2692,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/kprobes/core.c | 28 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ksysfs.c | 2 +- + arch/x86/kernel/kvmclock.c | 20 +- arch/x86/kernel/ldt.c | 25 + arch/x86/kernel/livepatch.c | 12 +- arch/x86/kernel/machine_kexec_32.c | 6 +- @@ -2683,9 +2707,9 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- - arch/x86/kernel/process.c | 71 +- - arch/x86/kernel/process_32.c | 30 +- - arch/x86/kernel/process_64.c | 19 +- + arch/x86/kernel/process.c | 80 +- + arch/x86/kernel/process_32.c | 29 +- + arch/x86/kernel/process_64.c | 14 +- arch/x86/kernel/ptrace.c | 20 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- @@ -2707,20 +2731,20 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/kernel/tsc.c | 2 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- - arch/x86/kernel/vmlinux.lds.S | 147 +- + arch/x86/kernel/vmlinux.lds.S | 153 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 2 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- - arch/x86/kvm/svm.c | 8 + - arch/x86/kvm/vmx.c | 82 +- - arch/x86/kvm/x86.c | 44 +- + arch/x86/kvm/svm.c | 10 +- + arch/x86/kvm/vmx.c | 62 +- + arch/x86/kvm/x86.c | 42 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 98 +- - arch/x86/lib/checksum_32.S | 97 +- + arch/x86/lib/checksum_32.S | 99 +- arch/x86/lib/clear_page_64.S | 3 + arch/x86/lib/cmpxchg16b_emu.S | 3 + arch/x86/lib/copy_page_64.S | 14 +- @@ -2746,22 +2770,22 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/mm/extable.c | 26 +- arch/x86/mm/fault.c | 570 +- arch/x86/mm/gup.c | 6 +- - arch/x86/mm/highmem_32.c | 4 + + arch/x86/mm/highmem_32.c | 6 + arch/x86/mm/hugetlbpage.c | 24 +- - arch/x86/mm/init.c | 101 +- + arch/x86/mm/init.c | 111 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 46 +- arch/x86/mm/iomap_32.c | 4 + - arch/x86/mm/ioremap.c | 44 +- + arch/x86/mm/ioremap.c | 52 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 40 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- - arch/x86/mm/pageattr.c | 33 +- + arch/x86/mm/pageattr.c | 38 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- - arch/x86/mm/pgtable.c | 162 +- + arch/x86/mm/pgtable.c | 214 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + @@ -2799,7 +2823,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 arch/x86/um/mem_32.c | 2 +- arch/x86/um/tls_32.c | 2 +- arch/x86/xen/enlighten.c | 50 +- - arch/x86/xen/mmu.c | 17 +- + arch/x86/xen/mmu.c | 19 +- arch/x86/xen/smp.c | 16 +- arch/x86/xen/xen-asm_32.S | 2 +- arch/x86/xen/xen-head.S | 11 + @@ -2815,7 +2839,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- - crypto/zlib.c | 4 +- + crypto/zlib.c | 12 +- drivers/acpi/acpi_video.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- @@ -2825,14 +2849,12 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/acpi/device_pm.c | 4 +- drivers/acpi/ec.c | 2 +- drivers/acpi/pci_slot.c | 2 +- - drivers/acpi/processor_driver.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/processor_pdc.c | 2 +- drivers/acpi/sleep.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/acpi/thermal.c | 2 +- drivers/acpi/video_detect.c | 7 +- - drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- @@ -2856,9 +2878,11 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- + drivers/base/platform-msi.c | 20 +- drivers/base/power/domain.c | 11 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- + drivers/base/regmap/regmap-debugfs.c | 11 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- @@ -2873,6 +2897,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/block/pktcdvd.c | 4 +- drivers/block/rbd.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- + drivers/bus/arm-cci.c | 12 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- @@ -2887,15 +2912,16 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/char/random.c | 12 +- drivers/char/sonypi.c | 11 +- drivers/char/tpm/tpm_acpi.c | 3 +- - drivers/char/tpm/tpm_eventlog.c | 7 +- + drivers/char/tpm/tpm_eventlog.c | 4 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/samsung/clk.h | 2 +- drivers/clk/socfpga/clk-gate.c | 9 +- drivers/clk/socfpga/clk-pll.c | 9 +- + drivers/clk/ti/clk.c | 8 +- drivers/cpufreq/acpi-cpufreq.c | 17 +- drivers/cpufreq/cpufreq-dt.c | 4 +- - drivers/cpufreq/cpufreq.c | 26 +- + drivers/cpufreq/cpufreq.c | 30 +- drivers/cpufreq/cpufreq_governor.c | 2 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- @@ -2929,13 +2955,14 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/firmware/google/gsmi.c | 2 +- drivers/firmware/google/memconsole.c | 7 +- drivers/firmware/memmap.c | 2 +- + drivers/firmware/psci.c | 2 +- drivers/gpio/gpio-davinci.c | 6 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-omap.c | 4 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- - drivers/gpio/gpiolib.c | 13 +- + drivers/gpio/gpiolib.c | 12 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +- @@ -2956,13 +2983,11 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- - drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- - drivers/gpu/drm/i915/i915_gem_gtt.c | 32 +- - drivers/gpu/drm/i915/i915_gem_gtt.h | 16 +- - drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +- - drivers/gpu/drm/i915/i915_ioc32.c | 16 +- + drivers/gpu/drm/i915/i915_gem_gtt.c | 16 +- + drivers/gpu/drm/i915/i915_gem_gtt.h | 6 +- + drivers/gpu/drm/i915/i915_ioc32.c | 10 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/imx/imx-drm-core.c | 2 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- @@ -3002,11 +3027,8 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- - drivers/gpu/drm/virtio/virtgpu_debugfs.c | 2 +- - drivers/gpu/drm/virtio/virtgpu_fence.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- - drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- @@ -3029,18 +3051,16 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- - drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- + drivers/ide/ide-disk.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/iio/magnetometer/ak8975.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/core/uverbs_cmd.c | 3 + drivers/infiniband/hw/cxgb4/mem.c | 4 +- - drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- - drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- @@ -3066,6 +3086,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/input/touchscreen/htcpen.c | 2 +- + drivers/iommu/arm-smmu-v3.c | 2 +- drivers/iommu/arm-smmu.c | 43 +- drivers/iommu/io-pgtable-arm.c | 101 +- drivers/iommu/io-pgtable.c | 11 +- @@ -3074,6 +3095,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/iommu/ipmmu-vmsa.c | 13 +- drivers/iommu/irq_remapping.c | 2 +- drivers/irqchip/irq-gic.c | 2 +- + drivers/irqchip/irq-i8259.c | 2 +- drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +- drivers/irqchip/irq-renesas-irqc.c | 2 +- drivers/isdn/capi/capi.c | 10 +- @@ -3102,7 +3124,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- - drivers/md/raid10.c | 16 +- + drivers/md/raid10.c | 18 +- drivers/md/raid5.c | 22 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/af9033.h | 2 +- @@ -3137,8 +3159,9 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- + drivers/mfd/wm5110-tables.c | 2 +- + drivers/mfd/wm8998-tables.c | 2 +- drivers/misc/c2port/core.c | 4 +- - drivers/misc/eeprom/sunxi_sid.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- @@ -3192,7 +3215,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +- - drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- @@ -3201,6 +3224,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/ethernet/via/via-rhine.c | 2 +- + drivers/net/geneve.c | 2 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ifb.c | 2 +- @@ -3217,16 +3241,19 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/net/usb/r8152.c | 2 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/virtio_net.c | 2 +- + drivers/net/vrf.c | 2 +- drivers/net/vxlan.c | 4 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- + drivers/net/wireless/ath/ath10k/ce.c | 6 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/ath/ath9k/main.c | 22 +- + drivers/net/wireless/ath/wil6210/wil_platform.h | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- @@ -3243,7 +3270,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- - drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- @@ -3256,12 +3282,13 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/pci/hotplug/cpqphp_nvram.c | 2 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- - drivers/pci/msi.c | 21 +- + drivers/pci/msi.c | 22 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/pcie/portdrv_pci.c | 2 +- drivers/pci/probe.c | 2 +- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +- drivers/pinctrl/pinctrl-at91.c | 5 +- drivers/platform/chrome/chromeos_pstore.c | 2 +- drivers/platform/x86/alienware-wmi.c | 4 +- @@ -3307,6 +3334,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 10 +- + drivers/scsi/megaraid/megaraid_sas.h | 2 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- @@ -3326,7 +3354,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/scsi/sr.c | 21 +- drivers/soc/tegra/fuse/fuse-tegra.c | 2 +- drivers/spi/spi.c | 2 +- - drivers/spi/spidev.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/comedi/comedi_fops.c | 8 +- drivers/staging/fbtft/fbtft-core.c | 2 +- @@ -3339,16 +3366,15 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- - drivers/staging/lustre/lustre/libcfs/module.c | 6 +- - drivers/staging/octeon/ethernet-rx.c | 12 +- + drivers/staging/octeon/ethernet-rx.c | 20 +- drivers/staging/octeon/ethernet.c | 8 +- + drivers/staging/rdma/ipath/ipath_rc.c | 6 +- + drivers/staging/rdma/ipath/ipath_ruc.c | 6 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sm750fb/sm750.c | 14 +- drivers/staging/unisys/visorbus/visorbus_private.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- - drivers/target/target_core_device.c | 2 +- - drivers/target/target_core_transport.c | 2 +- drivers/thermal/cpu_cooling.c | 9 +- drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +- drivers/thermal/of-thermal.c | 17 +- @@ -3361,7 +3387,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- - drivers/tty/n_tty.c | 5 +- + drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/8250/8250_core.c | 10 +- @@ -3381,10 +3407,10 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/uio/uio.c | 13 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- + drivers/usb/class/cdc-acm.h | 2 +- drivers/usb/core/devices.c | 6 +- - drivers/usb/core/devio.c | 10 +- + drivers/usb/core/devio.c | 12 +- drivers/usb/core/hcd.c | 4 +- - drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- @@ -3403,6 +3429,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/usb/host/xhci.c | 2 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- + drivers/usb/storage/transport.c | 2 +- drivers/usb/storage/usb.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/usbip/vhci.h | 2 +- @@ -3413,6 +3440,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 20 +- drivers/video/backlight/kb3886_bl.c | 2 +- + drivers/video/console/fbcon.c | 2 +- drivers/video/fbdev/aty/aty128fb.c | 2 +- drivers/video/fbdev/aty/atyfb_base.c | 8 +- drivers/video/fbdev/aty/mach64_cursor.c | 5 +- @@ -3438,12 +3466,14 @@ Date: Tue Sep 29 09:13:54 2015 -0400 fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- - fs/binfmt_elf.c | 672 +- - fs/binfmt_elf_fdpic.c | 2 +- + fs/binfmt_elf.c | 670 +- + fs/binfmt_elf_fdpic.c | 4 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- - fs/btrfs/delayed-inode.c | 6 +- - fs/btrfs/delayed-inode.h | 4 +- + fs/btrfs/delayed-inode.c | 9 +- + fs/btrfs/delayed-inode.h | 6 +- + fs/btrfs/file.c | 10 +- + fs/btrfs/inode.c | 14 +- fs/btrfs/super.c | 2 +- fs/btrfs/sysfs.c | 2 +- fs/btrfs/tests/free-space-tests.c | 8 +- @@ -3475,10 +3505,8 @@ Date: Tue Sep 29 09:13:54 2015 -0400 fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext2/xattr.c | 5 +- - fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- - fs/ext4/mmp.c | 2 +- fs/ext4/resize.c | 16 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- @@ -3546,18 +3574,17 @@ Date: Tue Sep 29 09:13:54 2015 -0400 fs/squashfs/xattr.c | 12 +- fs/sysv/sysv.h | 2 +- fs/tracefs/inode.c | 8 +- - fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- + fs/userfaultfd.c | 2 +- fs/xattr.c | 21 + fs/xfs/libxfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_linux.h | 4 +- include/asm-generic/4level-fixup.h | 2 + - include/asm-generic/atomic-long.h | 214 +- + include/asm-generic/atomic-long.h | 156 +- include/asm-generic/atomic64.h | 12 + - include/asm-generic/barrier.h | 2 +- include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- @@ -3569,8 +3596,9 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + + include/asm-generic/sections.h | 1 + include/asm-generic/uaccess.h | 16 + - include/asm-generic/vmlinux.lds.h | 13 +- + include/asm-generic/vmlinux.lds.h | 15 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 16 +- include/drm/drm_crtc_helper.h | 2 +- @@ -3581,8 +3609,9 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/drm/ttm/ttm_page_alloc.h | 1 + include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- - include/linux/atomic.h | 2 +- + include/linux/atomic.h | 17 +- include/linux/audit.h | 2 +- + include/linux/average.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitmap.h | 2 +- include/linux/bitops.h | 8 +- @@ -3594,8 +3623,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/linux/clk-provider.h | 1 + include/linux/compat.h | 6 +- include/linux/compiler-gcc.h | 28 +- - include/linux/compiler.h | 95 +- - include/linux/completion.h | 12 +- + include/linux/compiler.h | 157 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- @@ -3634,22 +3662,20 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/linux/irq.h | 5 +- include/linux/irqdesc.h | 2 +- include/linux/irqdomain.h | 3 + - include/linux/jiffies.h | 30 +- - include/linux/kernel.h | 2 +- + include/linux/jiffies.h | 16 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kmemleak.h | 4 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- - include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/lockref.h | 26 +- include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + - include/linux/mm.h | 104 +- + include/linux/mm.h | 102 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- @@ -3678,20 +3704,21 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 21 + include/linux/proc_ns.h | 2 +- + include/linux/psci.h | 2 +- include/linux/quota.h | 2 +- - include/linux/random.h | 23 +- + include/linux/random.h | 19 +- include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- - include/linux/sched.h | 74 +- + include/linux/sched.h | 72 +- include/linux/sched/sysctl.h | 1 + include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 2 +- - include/linux/skbuff.h | 10 +- + include/linux/skbuff.h | 12 +- include/linux/slab.h | 47 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- @@ -3703,6 +3730,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- + include/linux/swapops.h | 10 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 21 +- include/linux/syscore_ops.h | 2 +- @@ -3718,7 +3746,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/linux/uaccess.h | 6 +- include/linux/uio_driver.h | 2 +- include/linux/unaligned/access_ok.h | 24 +- - include/linux/usb.h | 6 +- + include/linux/usb.h | 12 +- include/linux/usb/hcd.h | 1 + include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- @@ -3741,6 +3769,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/net/inetpeer.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- + include/net/ipv6.h | 2 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- @@ -3748,7 +3777,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- - include/net/mac80211.h | 2 +- + include/net/mac80211.h | 4 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netlink.h | 2 +- @@ -3773,7 +3802,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 include/scsi/sg.h | 2 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- - include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/bcache.h | 5 +- @@ -3810,12 +3838,12 @@ Date: Tue Sep 29 09:13:54 2015 -0400 kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 2 +- - kernel/fork.c | 165 +- + kernel/fork.c | 167 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/irq/manage.c | 2 +- - kernel/irq/msi.c | 20 +- + kernel/irq/msi.c | 19 +- kernel/irq/spurious.c | 2 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 37 +- @@ -3827,7 +3855,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 6 +- - kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 422 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- @@ -3839,12 +3866,11 @@ Date: Tue Sep 29 09:13:54 2015 -0400 kernel/ptrace.c | 8 +- kernel/rcu/rcutorture.c | 60 +- kernel/rcu/tiny.c | 4 +- - kernel/rcu/tree.c | 66 +- - kernel/rcu/tree.h | 26 +- + kernel/rcu/tree.c | 44 +- + kernel/rcu/tree.h | 14 +- kernel/rcu/tree_plugin.h | 14 +- - kernel/rcu/tree_trace.c | 22 +- + kernel/rcu/tree_trace.c | 12 +- kernel/sched/auto_group.c | 4 +- - kernel/sched/completion.c | 6 +- kernel/sched/core.c | 45 +- kernel/sched/fair.c | 2 +- kernel/sched/sched.h | 2 +- @@ -3856,7 +3882,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 kernel/time/alarmtimer.c | 2 +- kernel/time/posix-cpu-timers.c | 4 +- kernel/time/posix-timers.c | 24 +- - kernel/time/timer.c | 4 +- + kernel/time/timer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 15 +- @@ -3873,11 +3899,10 @@ Date: Tue Sep 29 09:13:54 2015 -0400 kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- - kernel/workqueue.c | 4 +- + kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- - lib/average.c | 2 +- - lib/bitmap.c | 10 +- + lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/decompress_bunzip2.c | 3 +- @@ -3900,21 +3925,22 @@ Date: Tue Sep 29 09:13:54 2015 -0400 lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- + mm/debug.c | 3 + mm/filemap.c | 2 +- mm/gup.c | 13 +- - mm/highmem.c | 7 +- + mm/highmem.c | 6 +- mm/hugetlb.c | 70 +- - mm/internal.h | 3 +- + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 37 + - mm/memory-failure.c | 34 +- - mm/memory.c | 425 +- + mm/memory-failure.c | 6 +- + mm/memory.c | 424 +- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mm_init.c | 2 +- mm/mmap.c | 582 +- mm/mprotect.c | 137 +- - mm/mremap.c | 44 +- + mm/mremap.c | 39 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 49 +- @@ -3932,7 +3958,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + - mm/vmalloc.c | 112 +- + mm/vmalloc.c | 114 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/8021q/vlan_netlink.c | 2 +- @@ -3969,7 +3995,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 15 +- - net/core/scm.c | 8 +- + net/core/scm.c | 14 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 15 +- @@ -4003,7 +4029,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- - net/ipv6/addrconf.c | 16 +- + net/ipv6/addrconf.c | 18 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- @@ -4021,7 +4047,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- - net/ipv6/xfrm6_policy.c | 23 +- + net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- @@ -4059,8 +4085,6 @@ Date: Tue Sep 29 09:13:54 2015 -0400 net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/openvswitch/vport-internal_dev.c | 2 +- - net/openvswitch/vport.c | 16 +- - net/openvswitch/vport.h | 8 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- @@ -4099,7 +4123,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- - net/sunrpc/svcauth_unix.c | 4 +- + net/sunrpc/svcauth_unix.c | 2 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- @@ -4115,7 +4139,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 scripts/Kbuild.include | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- - scripts/Makefile.host | 63 +- + scripts/Makefile.host | 69 +- scripts/basic/fixdep.c | 12 +- scripts/dtc/checks.c | 14 +- scripts/dtc/data.c | 6 +- @@ -4137,7 +4161,7 @@ Date: Tue Sep 29 09:13:54 2015 -0400 scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- scripts/tags.sh | 2 +- - security/Kconfig | 691 +- + security/Kconfig | 692 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- @@ -4164,39 +4188,40 @@ Date: Tue Sep 29 09:13:54 2015 -0400 sound/pci/hda/hda_codec.c | 2 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- + sound/soc/codecs/sti-sas.c | 10 +- sound/soc/soc-ac97.c | 6 +- sound/soc/xtensa/xtfpga-i2s.c | 2 +- tools/gcc/Makefile | 42 + tools/gcc/checker_plugin.c | 150 + tools/gcc/colorize_plugin.c | 215 + - tools/gcc/constify_plugin.c | 564 + - tools/gcc/gcc-common.h | 790 + - tools/gcc/initify_plugin.c | 450 + + tools/gcc/constify_plugin.c | 571 + + tools/gcc/gcc-common.h | 812 + + tools/gcc/initify_plugin.c | 552 + tools/gcc/kallocstat_plugin.c | 188 + - tools/gcc/kernexec_plugin.c | 551 + + tools/gcc/kernexec_plugin.c | 549 + tools/gcc/latent_entropy_plugin.c | 470 + tools/gcc/size_overflow_plugin/.gitignore | 2 + - tools/gcc/size_overflow_plugin/Makefile | 26 + - .../disable_size_overflow_hash.data |11008 ++++++++++++++ + tools/gcc/size_overflow_plugin/Makefile | 28 + + .../disable_size_overflow_hash.data |12422 ++++++++++++ .../generate_size_overflow_hash.sh | 103 + - .../insert_size_overflow_asm.c | 409 + - .../size_overflow_plugin/intentional_overflow.c | 980 ++ + .../insert_size_overflow_asm.c | 416 + + .../size_overflow_plugin/intentional_overflow.c | 1010 + .../size_overflow_plugin/remove_unnecessary_dup.c | 137 + - tools/gcc/size_overflow_plugin/size_overflow.h | 329 + - .../gcc/size_overflow_plugin/size_overflow_debug.c | 192 + - .../size_overflow_plugin/size_overflow_hash.data |15719 ++++++++++++++++++++ + tools/gcc/size_overflow_plugin/size_overflow.h | 323 + + .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 + + .../size_overflow_plugin/size_overflow_hash.data |20735 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 92 + - tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1373 ++ + tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1226 ++ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 + .../size_overflow_plugin/size_overflow_plugin.c | 318 + - .../size_overflow_plugin_hash.c | 353 + - .../size_overflow_plugin/size_overflow_transform.c | 576 + - .../size_overflow_transform_core.c | 962 ++ + .../size_overflow_plugin_hash.c | 352 + + .../size_overflow_plugin/size_overflow_transform.c | 749 + + .../size_overflow_transform_core.c | 1010 + tools/gcc/stackleak_plugin.c | 436 + tools/gcc/structleak_plugin.c | 287 + tools/include/linux/compiler.h | 8 + tools/lib/api/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/virtio/linux/uaccess.h | 2 +- - virt/kvm/kvm_main.c | 44 +- - 1963 files changed, 60342 insertions(+), 8946 deletions(-) + virt/kvm/kvm_main.c | 42 +- + 1944 files changed, 66925 insertions(+), 8949 deletions(-)